Windows Analysis Report 6P61y0u6Nn

Overview

General Information

Sample Name:	6P61y0u6Nn (renamed file extension from none to exe)
Analysis ID:	483898
MD5:	83f51a31a3b9ed0a4087aca907befdeb
SHA1:	f3805488954d7bdb7b1d83ef77968ae59170a1e9
SHA256:	d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e
Tags:	AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Sigma detected: Powershell adding suspicious path to exclusion list

Drops PE files to the startup folder

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Creates autostart registry keys with suspicious names

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Drops PE files with benign system names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Creates a start menu entry (Start Menu\Programs\Startup)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: 6P61y0u6Nn.exe	Virustotal: Detection: 57%	Perma Link
Source: 6P61y0u6Nn.exe	Metadefender: Detection: 37%	Perma Link
Source: 6P61y0u6Nn.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Metadefender: Detection: 37%			Perma Link
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	ReversingLabs: Detection: 78%

Machine Learning detection for sample

Source: 6P61y0u6Nn.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Joe Sandbox ML: detected

Exploits:

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3807dd0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3827df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.532733864.0000000004D20000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Compliance:

Uses 32bit PE files

Source: 6P61y0u6Nn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe			Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.391449311.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
Source:	Binary string: jC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: 7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: kpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbj% source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbxc.MMbisualB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: _ .pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: jpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: } .pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbF424491E3931}\InprocServer32 source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: wsymbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb9 source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487711905.00000000008B1000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbH source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: 6P61y0u6Nn.PDB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdbxj source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbW source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\6P61y0u6Nn.PDBw source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbst source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://regexlib.com/
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.davidemauri.it/
Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://www.nirsoft.net/
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
Source: 6P61y0u6Nn.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: 6P61y0u6Nn.exe, 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: unknown

DNS traffic detected: queries for: canonicalizer.ucsuri.tcs

System Summary:

Uses 32bit PE files

Source: 6P61y0u6Nn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Sample file is different than original file name gathered from version info

Source: 6P61y0u6Nn.exe, 00000000.00000000.488544878.0000000000B30000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.483413213.00000000003E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.496559567.000000000289B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenametEnxeoGUbsIbZIOzasmmdEfR.exe4 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 0000001E.00000000.476734025.0000000000CE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe

PE file contains strange resources

Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6P61y0u6Nn.exe	Virustotal: Detection: 57%
Source: 6P61y0u6Nn.exe	Metadefender: Detection: 37%
Source: 6P61y0u6Nn.exe	ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File read: C:\Users\user\Desktop\6P61y0u6Nn.exe

Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe 'C:\Users\user\Desktop\6P61y0u6Nn.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: unknown	Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: unknown	Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		5_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		6_2_00408FC9

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to behavior

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.winEXE@93/79@5/2

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00401306

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

5_2_004095FD

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

5_2_0040A33B

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Program Files\Common Files\System\E59A6148

Jump to behavior

Source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: 6P61y0u6Nn.exe, RegExTester/u0035AF3DEF2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7ADA33B7.exe.0.dr, RegExTester/u0035AF3DEF2.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe			Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 6P61y0u6Nn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.391449311.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
Source:	Binary string: jC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: 7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: kpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbj% source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbxc.MMbisualB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: _ .pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: jpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: } .pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbF424491E3931}\InprocServer32 source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: wsymbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb9 source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487711905.00000000008B1000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbH source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: 6P61y0u6Nn.PDB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdbxj source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbW source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\6P61y0u6Nn.PDBw source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbst source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B550 push eax; ret	5_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B550 push eax; ret	5_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B50D push ecx; ret	5_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B550 push eax; ret	6_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B550 push eax; ret	6_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B50D push ecx; ret	6_2_0040B51D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040289F

PE file contains an invalid checksum

Source: 6P61y0u6Nn.exe	Static PE information: real checksum: 0xe06cf should be: 0xdb26d
Source: svchost.exe.0.dr	Static PE information: real checksum: 0xe06cf should be: 0xdb26d
Source: 7ADA33B7.exe.0.dr	Static PE information: real checksum: 0xe06cf should be: 0xdb26d

Binary contains a suspicious time stamp

Source: 6P61y0u6Nn.exe

Static PE information: 0xCA7188B4 [Tue Aug 17 15:03:16 2077 UTC]

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	File created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	File created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to dropped file

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe\:Zone.Identifier:$DATA			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00401306

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00408E31

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3807dd0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3827df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.532733864.0000000004D20000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: OutputDebugStringW count: 1955
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: OutputDebugStringW count: 3911
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: OutputDebugStringW count: 3911

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep count: 2176 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 1375 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 2008 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4248	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5624	Thread sleep count: 2800 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5872	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep count: 54 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 1898 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5288	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1916	Thread sleep count: 104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 3256	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 3132	Thread sleep count: 5315 > 30
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 348	Thread sleep count: 2828 > 30
Source: C:\Windows\System32\svchost.exe TID: 5784	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep count: 1249 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2444	Thread sleep count: 1370 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4976	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4964	Thread sleep count: 1371 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep count: 1820 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5280	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 160 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3690	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 474	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2176	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1375
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1898
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Window / User API: threadDelayed 5315
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Window / User API: threadDelayed 2828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1622
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1370
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1820

Contains capabilities to detect virtual machines

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMwareVBoxARun using valid operating system
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AdvancedRun.exe, 00000023.00000002.533443386.0000000000817000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: AdvancedRun.exe, 00000027.00000002.575467738.0000000000767000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m'C:\WINDOWS\system32\drivers\vmmouse.sys

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040289F

Enables debug privileges

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

5_2_00401C26

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148

Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Users\user\Desktop\6P61y0u6Nn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Users\user\Desktop\6P61y0u6Nn.exe VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

5_2_0040A272

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.525355976.0000000003700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.525355976.0000000003700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
canonicalizer.ucsuri.tcs	unknown	unknown

AV Detection:

Found malware configuration

Source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: 6P61y0u6Nn.exe	Virustotal: Detection: 57%	Perma Link
Source: 6P61y0u6Nn.exe	Metadefender: Detection: 37%	Perma Link
Source: 6P61y0u6Nn.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Metadefender: Detection: 37%			Perma Link
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	ReversingLabs: Detection: 78%

Machine Learning detection for sample

Source: 6P61y0u6Nn.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Joe Sandbox ML: detected

Exploits:

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3807dd0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3827df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.532733864.0000000004D20000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Compliance:

Uses 32bit PE files

Source: 6P61y0u6Nn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe			Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.391449311.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
Source:	Binary string: jC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: 7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: kpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbj% source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbxc.MMbisualB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: _ .pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: jpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: } .pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbF424491E3931}\InprocServer32 source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: wsymbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb9 source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487711905.00000000008B1000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbH source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: 6P61y0u6Nn.PDB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdbxj source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbW source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\6P61y0u6Nn.PDBw source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbst source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://regexlib.com/
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.davidemauri.it/
Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: http://www.nirsoft.net/
Source: 6P61y0u6Nn.exe	String found in binary or memory: http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
Source: 6P61y0u6Nn.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe.34.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: 6P61y0u6Nn.exe, 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: unknown

DNS traffic detected: queries for: canonicalizer.ucsuri.tcs

System Summary:

Uses 32bit PE files

Source: 6P61y0u6Nn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Sample file is different than original file name gathered from version info

Source: 6P61y0u6Nn.exe, 00000000.00000000.488544878.0000000000B30000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.483413213.00000000003E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.496559567.000000000289B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenametEnxeoGUbsIbZIOzasmmdEfR.exe4 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe, 0000001E.00000000.476734025.0000000000CE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe
Source: 6P61y0u6Nn.exe	Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs 6P61y0u6Nn.exe

PE file contains strange resources

Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6P61y0u6Nn.exe	Virustotal: Detection: 57%
Source: 6P61y0u6Nn.exe	Metadefender: Detection: 37%
Source: 6P61y0u6Nn.exe	ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File read: C:\Users\user\Desktop\6P61y0u6Nn.exe

Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe 'C:\Users\user\Desktop\6P61y0u6Nn.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: unknown	Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: unknown	Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		5_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		6_2_00408FC9

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to behavior

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.winEXE@93/79@5/2

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00401306

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

5_2_004095FD

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

5_2_0040A33B

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Program Files\Common Files\System\E59A6148

Jump to behavior

Source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: 6P61y0u6Nn.exe, RegExTester/u0035AF3DEF2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7ADA33B7.exe.0.dr, RegExTester/u0035AF3DEF2.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe			Jump to behavior

Source: 6P61y0u6Nn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 6P61y0u6Nn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.524527888.0000000003661000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.391449311.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.397079444.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.515843042.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000002.533841645.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.547940930.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.603628908.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000035.00000000.559453379.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000036.00000000.593616460.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000003A.00000002.609575039.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
Source:	Binary string: jC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: 7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: kpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbj% source: 6P61y0u6Nn.exe, 00000000.00000000.535402085.00000000060D1000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbxc.MMbisualB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: w.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: _ .pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.488063135.00000000008E3000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: jpC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: } .pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbF424491E3931}\InprocServer32 source: 6P61y0u6Nn.exe, 00000000.00000000.487601346.00000000008A0000.00000004.00000020.sdmp
Source:	Binary string: wsymbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb9 source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487711905.00000000008B1000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbH source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.PDB source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: 6P61y0u6Nn.PDB source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdbxj source: 6P61y0u6Nn.exe, 00000000.00000000.535283737.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbW source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp
Source:	Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb.FastSerialization.pdb source: 7ADA33B7.exe, 00000013.00000000.600029101.00000000008F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\6P61y0u6Nn.PDBw source: 6P61y0u6Nn.exe, 00000000.00000000.484739050.0000000000778000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdbst source: 6P61y0u6Nn.exe, 00000000.00000000.487756868.00000000008BC000.00000004.00000020.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B550 push eax; ret	5_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B550 push eax; ret	5_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 5_2_0040B50D push ecx; ret	5_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B550 push eax; ret	6_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B550 push eax; ret	6_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Code function: 6_2_0040B50D push ecx; ret	6_2_0040B51D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040289F

PE file contains an invalid checksum

Source: 6P61y0u6Nn.exe	Static PE information: real checksum: 0xe06cf should be: 0xdb26d
Source: svchost.exe.0.dr	Static PE information: real checksum: 0xe06cf should be: 0xdb26d
Source: 7ADA33B7.exe.0.dr	Static PE information: real checksum: 0xe06cf should be: 0xdb26d

Binary contains a suspicious time stamp

Source: 6P61y0u6Nn.exe

Static PE information: 0xCA7188B4 [Tue Aug 17 15:03:16 2077 UTC]

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	File created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	File created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to dropped file

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe			Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe\:Zone.Identifier:$DATA			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00401306

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

5_2_00408E31

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3867e10.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.4d20000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.38e7e30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3807dd0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3827df0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.529291545.00000000038E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.532733864.0000000004D20000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Section loaded: OutputDebugStringW count: 1955
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Section loaded: OutputDebugStringW count: 3911
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Section loaded: OutputDebugStringW count: 3911

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep count: 2176 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 1375 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 2008 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4248	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5624	Thread sleep count: 2800 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5872	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep count: 54 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 1898 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5288	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1916	Thread sleep count: 104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 3256	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 3132	Thread sleep count: 5315 > 30
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe TID: 348	Thread sleep count: 2828 > 30
Source: C:\Windows\System32\svchost.exe TID: 5784	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep count: 1249 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2444	Thread sleep count: 1370 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4976	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4964	Thread sleep count: 1371 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep count: 1820 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5280	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 160 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3690	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 474	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2176	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1375
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1898
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Window / User API: threadDelayed 5315
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Window / User API: threadDelayed 2828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1622
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1370
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1820

Contains capabilities to detect virtual machines

Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMwareVBoxARun using valid operating system
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AdvancedRun.exe, 00000023.00000002.533443386.0000000000817000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m"SOFTWARE\VMware, Inc.\VMware Tools
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: AdvancedRun.exe, 00000027.00000002.575467738.0000000000767000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 6P61y0u6Nn.exe, 00000000.00000000.527904707.0000000003807000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: 6P61y0u6Nn.exe, 00000000.00000000.490685699.0000000002661000.00000004.00000001.sdmp	Binary or memory string: m'C:\WINDOWS\system32\drivers\vmmouse.sys

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0040289F

Enables debug privileges

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

5_2_00401C26

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\6P61y0u6Nn.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Process created: C:\Users\user\Desktop\6P61y0u6Nn.exe C:\Users\user\Desktop\6P61y0u6Nn.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe' /SpecialRun 4101d8 6492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7052 -ip 7052
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6804 -ip 6804
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe' /SpecialRun 4101d8 4740
Source: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe' /SpecialRun 4101d8 6860
Source: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe' /SpecialRun 4101d8 7148

Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: 6P61y0u6Nn.exe, 00000000.00000000.490174658.0000000001140000.00000002.00020000.sdmp, 7ADA33B7.exe, 00000013.00000000.607181872.0000000001150000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Users\user\Desktop\6P61y0u6Nn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Users\user\Desktop\6P61y0u6Nn.exe VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\6P61y0u6Nn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation

Source: C:\Users\user\Desktop\6P61y0u6Nn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe

Code function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

5_2_0040A272

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.525355976.0000000003700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3717f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.6P61y0u6Nn.exe.3737fb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.526766283.0000000003778000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.525355976.0000000003700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6P61y0u6Nn.exe PID: 7052, type: MEMORYSTR

ID:	483898
Product:	CloudBasic
Start time:	15:53:32
Start date:	15.09.2021
Sample:	6P61y0u6Nn
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	83f51a31a3b9ed0a4087aca907befdeb
SHA1:	f3805488954d7bdb7b1d83ef77968ae59170a1e9
SHA256:	d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\Program Files\Common Files\system\E59A6148\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	83F51A31A3B9ED0A4087ACA907BEFDEB	F3805488954D7BDB7B1D83EF77968AE59170A1E9	D15BA749C366334FD969A221A70A8F567EFB1AE5DB0BDBCEDDB166301585806E
C:\Program Files\Common Files\system\E59A6148\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	D786E566BC45AF0160C4A45FA480D442	FB3BE2C17E9C79B24274B61507C2AA17DF990528	B83A069E4A2B0F02D1D13A1B3D0FFB02D78AC3653CDD4AB923FF8B2240CADB2D
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0xb5c8843e, page size 16384, DirtyShutdown, Windows version 10.0	05DE836739074D26E7AFACEB7738C4C2	9DA21079A6ECAC68463B66350FEA73E5D571BAEE	3CB20C691BCFF64DCB5BF8A8A778F3F7E062A3B3016263202A43583654A3FD8D
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	817D9A07F658935024114CEEA4A5764F	FDEDD600A1DDFF38A1222C83CBE276187B995BC6	83762F997E4F765CCA39123352A4DC736F9BB53E174EE1C6FB2AB2D6309D4911
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	8D5E194411E038C060288366D6766D3D	DC1A8229ED0B909042065EA69253E86E86D71C88	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	3078753A2006535A63117F37689629A9	784B2B465DC2DA375F4FDA22E278625886CE86E6	4E6E327CF948F4D8B9AF4148D7DFD6377E079A6741AEBEF97BADD3CE3F1DF202
C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	17FC12902F4769AF3A9271EB4E2DACCE	9A4A1581CC3971579574F837E110F3BD6D529DAB	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat	ASCII text, with very long lines, with CRLF line terminators	B2A5EF7D334BDF866113C6F4F9036AAE	F9027F2827B35840487EFD04E818121B5A8541E0	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	17FC12902F4769AF3A9271EB4E2DACCE	9A4A1581CC3971579574F837E110F3BD6D529DAB	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat	ASCII text, with very long lines, with CRLF line terminators	B2A5EF7D334BDF866113C6F4F9036AAE	F9027F2827B35840487EFD04E818121B5A8541E0	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	17FC12902F4769AF3A9271EB4E2DACCE	9A4A1581CC3971579574F837E110F3BD6D529DAB	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat	ASCII text, with very long lines, with CRLF line terminators	B2A5EF7D334BDF866113C6F4F9036AAE	F9027F2827B35840487EFD04E818121B5A8541E0	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vq4c30n.hre.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fhtvdiy.ks4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53g0o2y2.5iz.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cymq2wv.eqf.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bakq5gb0.q3f.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_butynpy2.fhn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvydw1mq.uvm.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5mblyo5.hbx.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ichx54v4.s1k.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyamx0do.zt4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jddt5hq2.czv.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jna5bssn.ldi.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpezsbnz.1f0.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbdjttyt.kg4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nd4is0gq.rfd.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndk5muty.fik.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npy3ftdb.oi1.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psd5o1gf.32i.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptyzf23y.xc5.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxn55ua0.cnh.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqobtuj1.jfs.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxw1d434.kcs.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soufzxk1.qev.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sssd5d50.ed0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdifzaeb.1nw.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te20ts3b.dv2.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uumxibsd.qrp.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbtwqko3.baj.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2dsoebv.o3s.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvmxazb3.r4v.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	17FC12902F4769AF3A9271EB4E2DACCE	9A4A1581CC3971579574F837E110F3BD6D529DAB	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat	ASCII text, with very long lines, with CRLF line terminators	B2A5EF7D334BDF866113C6F4F9036AAE	F9027F2827B35840487EFD04E818121B5A8541E0	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	17FC12902F4769AF3A9271EB4E2DACCE	9A4A1581CC3971579574F837E110F3BD6D529DAB	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat	ASCII text, with very long lines, with CRLF line terminators	B2A5EF7D334BDF866113C6F4F9036AAE	F9027F2827B35840487EFD04E818121B5A8541E0	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	83F51A31A3B9ED0A4087ACA907BEFDEB	F3805488954D7BDB7B1D83EF77968AE59170A1E9	D15BA749C366334FD969A221A70A8F567EFB1AE5DB0BDBCEDDB166301585806E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.+XmHsUNP.20210915155527.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	201A2D02C97F2C65CCBD14C9F147CAD1	68858F5919D2BFD915C824229F55BAD92C4C89DF	61FDC8A911442784A14B1A7C1D97C2B80B2E1DC1AC5ED4CEE414F06CA009461D
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.1UafY6nv.20210915155630.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	A04DE45E1CDF45309BFFE2C3FB6C9C45	CE8C85764E691DA094BCAA746EE11B7145441B5D	34CB0DA488D33740EEAF2B87D2B683642896E52390875FF9008EBF0CE26CFADE
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.2IO6Ihvl.20210915155520.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	468A58AC7411F4219ADD5B61719FB7B2	20BFBD726FF4A382A29DD5EF4DAD491A5CA5EED9	94D4F1B9C2107484A6DD574C916124C5280F32B0F00A5200B1FC971588FEFF4D
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.7dgcABRu.20210915155608.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	17D0E5F4FC2F21B1F4CB6C146D757956	73D096CC72D948B9AC75B4BA61B4056A3186BC2D	AC8B6A77BF9D9069E674B85FC6A68A5E523268E89DB90581458EB3FB2C086CBF
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.CByUc04+.20210915155502.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D4F832C42FEFFA5979ED78AF9FAA168D	527A91C8421B909F4233FB748E390959DC4107DB	00F0ECC6B10A0F99AF516AD2F31731FEBC4F8DE38A36139642411EF4DC7C0A9E
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.OpllYleI.20210915155500.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	15B3445F4883386E1418DF8985B36791	D194FC4034D6D4437FEF1FE7C1A632905BD3372F	7724274CDAF666A8F482E1252921CE8512D6E861D0201A45E3FF6DD3BDE66ED4
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.Usb5hF8x.20210915155615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9FE9ED12E357C3005931C3C9686B67BF	4160F65ABAFF7A7B4BF3DFA18B451E61C275CAF3	5DBBAA1096B71CE4399C0F3471347404CBAA77A60A8FFC07806942C626C239EF
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.Z7CArzfL.20210915155612.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D5EC400954D40507C9D52B98CFD5075E	685ADB0E2227990B0530870AC15219B1E8717B65	34CAD5FCF123DD4FC8598B69BB95FB2659C50A67B91D8955E805E624A77F53AC
C:\Users\user\Documents\20210915\PowerShell_transcript.571345._PywPqRN.20210915155503.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	EA2ACA00123177CD2D242CCC01049FE5	3C961806794EC1E93D3946D297C44888D81315D8	CA417E2DC3A208DC433C82A322810132B1E676AB5AA0ABAB578E0558266A2395
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.cNh4BXcU.20210915155615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9873E482D8EBEBFED4DDC4778C5CB475	DC4F5E2E8C3624F0D392FB49EE00DAF26CAB18E3	60CBF708374A61D162BE945E438A6D69FF8BB71EBF587DFD9536FE026706EDA2
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.hovu9FR5.20210915155511.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F09C269E4760B60FF08D0267EE2A4D87	A295312F5B848AD1E4C320F0CB2ED45A4C959BC1	F0DD29C72045698D1958604D253ABF1FCEF38289EF52549F8436EB9438BEA973
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.m3EPoBtw.20210915155610.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	4A67913DC6C984FF9AD2613559FC00FE	159C793D1F72353C41BF018E9EF9DC4BC4DA28F3	C74BED6033B461D6A90A941F723237537EDB40C907A337E1BFC9EF0592ED9EDC
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.nsM1HNmK.20210915155512.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	1D1F4271D27DA7E0BD8839E88D670B47	64BB8489D1A41BBCD951F36E3C83FFB9FCCBADFA	B4C15EF34BC03A680A13D4405AC1235CA08A74ED4C180CBE3B0CCD21E34FD533
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.sWSZZ_Tx.20210915155519.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	77113F00C213858479F925C1DAAB5CB8	4D72DB40762F29BCCD2C905C6FBF0886A06B8644	4AE7FD2E8BC3B2A1FFF1D94F4BB3C957224859B97F1C4C1A9238AFF0AAE2C128
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report 6P61y0u6Nn

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains