Windows Analysis Report VknMvPoCXZ

Overview

General Information

Sample Name: VknMvPoCXZ (renamed file extension from none to exe)
Analysis ID: 483863
MD5: 0cecfa83ee6ea6dd1de38462bbedf15c
SHA1: de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256: a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
Tags: AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: VknMvPoCXZ.exe Virustotal: Detection: 47% Perma Link
Source: VknMvPoCXZ.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe ReversingLabs: Detection: 44%
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe ReversingLabs: Detection: 44%

Exploits:

barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

Compliance:

barindex
Uses 32bit PE files
Source: VknMvPoCXZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: VknMvPoCXZ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000004.00000002.563938277.0000028D9A40F000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: VknMvPoCXZ.exe, 00000001.00000003.244837348.000000000082D000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: VknMvPoCXZ.exe, 00000001.00000003.251876624.00000000055DD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: VknMvPoCXZ.exe, 00000001.00000003.251440194.00000000055D9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers19
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comicva
Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comue
Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comc
Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000003.247622790.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnf
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/5.
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H.
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/c.
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/curs
Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoftc.
Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comnt
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krB2
Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krlea
Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kropyw2-
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: VknMvPoCXZ.exe, 00000001.00000003.245836341.00000000055EB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comnm
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe String found in binary or memory: https://mhconsultores.net.ve/
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0C
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308834752.0000021F0B445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

DDoS:

barindex
Too many similar processes found
Source: powershell.exe Process created: 46

System Summary:

barindex
.NET source code contains very large array initializations
Source: VknMvPoCXZ.exe, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 481F404B.exe.1.dr, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: svchost.exe.1.dr, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/C84CE241.cs Large array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
Detected potential crypto function
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Code function: 1_2_002A55BB 1_2_002A55BB
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Code function: 1_2_002A098B 1_2_002A098B
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Code function: 1_2_024CC1F0 1_2_024CC1F0
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_0057098B 40_2_0057098B
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_005755BB 40_2_005755BB
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_011E98B0 40_2_011E98B0
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_07056928 40_2_07056928
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_0705C819 40_2_0705C819
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Code function: 40_2_07057090 40_2_07057090
PE file contains strange resources
Source: AdvancedRun.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.24.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.24.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: VknMvPoCXZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Creates files inside the system directory
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Windows\Resources\Themes\aero\Shell\4B6A7152 Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Sample file is different than original file name gathered from version info
Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameAntiDump.dll2 vs VknMvPoCXZ.exe
Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs VknMvPoCXZ.exe
Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMicrosoft.VisualStudio.DevOps.Telemetry.dllP vs VknMvPoCXZ.exe
Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamevxrSmzjNKOKDOsAsVgFGKyJwRVHn.exe4 vs VknMvPoCXZ.exe
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs VknMvPoCXZ.exe
Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs VknMvPoCXZ.exe
PE / OLE file has an invalid certificate
Source: VknMvPoCXZ.exe Static PE information: invalid certificate
Source: VknMvPoCXZ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.expl.evad.winEXE@113/58@0/2
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00401306
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 6_2_0040A33B
Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: VknMvPoCXZ.exe Virustotal: Detection: 47%
Source: VknMvPoCXZ.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File read: C:\Users\user\Desktop\VknMvPoCXZ.exe Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\VknMvPoCXZ.exe 'C:\Users\user\Desktop\VknMvPoCXZ.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
Source: unknown Process created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
Source: unknown Process created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644
Source: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512
Source: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 6_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 7_2_00408FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 6_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
Source: VknMvPoCXZ.exe, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 481F404B.exe.1.dr, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: svchost.exe.1.dr, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/u00364733196.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: VknMvPoCXZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: VknMvPoCXZ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: VknMvPoCXZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040B550 push eax; ret 6_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040B550 push eax; ret 6_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040B50D push ecx; ret 6_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 7_2_0040B550 push eax; ret 7_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 7_2_0040B550 push eax; ret 7_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040289F
Binary contains a suspicious time stamp
Source: VknMvPoCXZ.exe Static PE information: 0xDA8605A3 [Wed Mar 6 01:25:55 2086 UTC]

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
Drops PE files with benign system names
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe File created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe File created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Jump to dropped file
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe File created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Jump to dropped file
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe\:Zone.Identifier:$DATA Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLUSER
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6036 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6296 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224 Thread sleep count: 3116 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6560 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6932 Thread sleep count: 109 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492 Thread sleep count: 1460 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536 Thread sleep count: 1154 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6628 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688 Thread sleep count: 1756 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008 Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688 Thread sleep count: 204 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216 Thread sleep count: 1958 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4308 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280 Thread sleep count: 62 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3396 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876 Thread sleep count: 2068 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep count: 106 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4304 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700 Thread sleep count: 4209 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700 Thread sleep count: 3142 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3337 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3116
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1154
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1756
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1958
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2068
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 4209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 3142
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Contains capabilities to detect virtual machines
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: rm"SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: VMware
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareW_MATVN9Win32_VideoControllerHOLHWM8BVideoController120060621000000.000000-00029545192display.infMSBDAT374VDSOPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsR8CMBEKU
Source: svchost.exe, 00000004.00000002.565151015.0000028D9A45F000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: VMwareVBoxARun using valid operating system
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: rm&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: rm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000004.00000002.564749589.0000028D9A449000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.551410688.0000017E86402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: rm)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: svchost.exe, 00000004.00000002.557362596.0000028D94C24000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@aF
Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmp Binary or memory string: rm'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: svchost.exe, 00000008.00000002.551595749.0000017E86429000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.561851061.000002BA27C67000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.557866132.000002A146A2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040289F
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Code function: 1_2_024C6AD8 LdrInitializeThunk, 1_2_024C6AD8
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Writes to foreign memory regions
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: CF7008 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 6_2_00401C26
Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Users\user\Desktop\VknMvPoCXZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\VknMvPoCXZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe Code function: 6_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 6_2_0040A272

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000010.00000002.556137517.0000022F49629000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs