Windows Analysis Report lKJbVguaav

Overview

General Information

Sample Name: lKJbVguaav (renamed file extension from none to exe)
Analysis ID: 483912
MD5: 5f377de371a8e95acec9956303d6f032
SHA1: 4d36d918df8ff90c0327ef713cfa262591d93636
SHA256: 46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
Tags: AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}
Multi AV Scanner detection for submitted file
Source: lKJbVguaav.exe Virustotal: Detection: 61% Perma Link
Source: lKJbVguaav.exe Metadefender: Detection: 34% Perma Link
Source: lKJbVguaav.exe ReversingLabs: Detection: 66%
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Virustotal: Detection: 61% Perma Link
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Metadefender: Detection: 34% Perma Link
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe ReversingLabs: Detection: 66%
Machine Learning detection for sample
Source: lKJbVguaav.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Joe Sandbox ML: detected

Exploits:

barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.0.lKJbVguaav.exe.4297e30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4297e30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4217e10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4217e10.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.56f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.41d7df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.56f0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.41b7dd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR

Compliance:

barindex
Uses 32bit PE files
Source: lKJbVguaav.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\lKJbVguaav.exe Directory created: C:\Program Files\Common Files\System\E59A6148 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe Jump to behavior
Source: lKJbVguaav.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: System.Core.ni.pdbRSDSD source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbF source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: Accessibility.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb8 source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: lKJbVguaav.PDB@ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.Diagnostics.FastSerialization.pdbpdbion.pdb7 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: ipC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.dr
Source: Binary string: System.Xml.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: iC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe
Source: Binary string: C:\Users\user\Desktop\lKJbVguaav.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.426583750.00000000067DD000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbv.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: RunPE_MemoryProtection.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.pdbH source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Xml.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb) source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbic.pdbE3931}\InprocServer32 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.Drawing.pdbr source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Windows.Forms.pdbh source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp, WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.Drawing.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Management.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: c.pdbis_ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: Microsoft.Diagnostics.FastSerialization.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Xml.pdbD source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: .pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: lKJbVguaav.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: lKJbVguaav.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: lKJbVguaav.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: lKJbVguaav.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: lKJbVguaav.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: lKJbVguaav.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: lKJbVguaav.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: lKJbVguaav.exe String found in binary or memory: http://regexlib.com/
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lKJbVguaav.exe String found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
Source: svchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: lKJbVguaav.exe String found in binary or memory: http://www.davidemauri.it/
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: http://www.nirsoft.net/
Source: lKJbVguaav.exe String found in binary or memory: http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309164637.0000020E98A64000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: lKJbVguaav.exe String found in binary or memory: https://sectigo.com/CPS0
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309289255.0000020E98A45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310062042.0000020E98A39000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: lKJbVguaav.exe, 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: unknown DNS traffic detected: queries for: canonicalizer.ucsuri.tcs

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: lKJbVguaav.exe, 00000000.00000000.363337679.000000000140A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

DDoS:

barindex
Too many similar processes found
Source: powershell.exe Process created: 46

System Summary:

barindex
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
PE file contains strange resources
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.24.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.24.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.32.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.32.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: lKJbVguaav.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Sample file is different than original file name gathered from version info
Source: lKJbVguaav.exe, 00000000.00000000.362788236.0000000000D82000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.391473662.000000000324B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenametEnxeoGUbsIbZIOzasmmdEfR.exe4 vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.391473662.000000000324B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAntiDump.dll2 vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000000.00000000.363337679.000000000140A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs lKJbVguaav.exe
Source: lKJbVguaav.exe, 00000022.00000000.350090444.0000000000752000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
Source: lKJbVguaav.exe Binary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
Source: lKJbVguaav.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.expl.evad.winEXE@128/79@5/2
Source: C:\Users\user\Desktop\lKJbVguaav.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 7_2_00401306
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 7_2_0040A33B
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Program Files\Common Files\System\E59A6148 Jump to behavior
Source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: lKJbVguaav.exe Virustotal: Detection: 61%
Source: lKJbVguaav.exe Metadefender: Detection: 34%
Source: lKJbVguaav.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\lKJbVguaav.exe File read: C:\Users\user\Desktop\lKJbVguaav.exe Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\lKJbVguaav.exe 'C:\Users\user\Desktop\lKJbVguaav.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
Source: unknown Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860
Source: unknown Process created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exe Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
Source: C:\Users\user\Desktop\lKJbVguaav.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 7_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 11_2_00408FC9
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\lKJbVguaav.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 7_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:1488:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6396
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:7152:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: Local\SM0:6640:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:4488:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:6344:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:3676:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: Local\SM0:6432:64:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6348:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:5936:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:3532:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:2812:120:WilError_01
Source: lKJbVguaav.exe, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7ADA33B7.exe.0.dr, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: svchost.exe.0.dr, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.lKJbVguaav.exe.cb0000.1.unpack, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.lKJbVguaav.exe.cb0000.0.unpack, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 24.0.7ADA33B7.exe.f80000.0.unpack, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.7ADA33B7.exe.850000.0.unpack, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 34.0.lKJbVguaav.exe.680000.0.unpack, RegExTester/u0035AF3DEF2.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: lKJbVguaav.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\lKJbVguaav.exe Directory created: C:\Program Files\Common Files\System\E59A6148 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Directory created: C:\Program Files\Common Files\System\E59A6148\svchost.exe Jump to behavior
Source: lKJbVguaav.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: lKJbVguaav.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Core.ni.pdbRSDSD source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbF source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: Accessibility.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb8 source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: lKJbVguaav.PDB@ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.Diagnostics.FastSerialization.pdbpdbion.pdb7 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: ipC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.dr
Source: Binary string: System.Xml.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: iC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe
Source: Binary string: C:\Users\user\Desktop\lKJbVguaav.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.426583750.00000000067DD000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbv.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: RunPE_MemoryProtection.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.pdbH source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Xml.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb) source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbic.pdbE3931}\InprocServer32 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.Drawing.pdbr source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Windows.Forms.pdbh source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp, WERF3FB.tmp.dmp.38.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
Source: Binary string: System.Drawing.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Management.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Core.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: c.pdbis_ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: Microsoft.Diagnostics.FastSerialization.pdb source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.Xml.pdbD source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: .pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
Source: Binary string: System.ni.pdb source: WERF3FB.tmp.dmp.38.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040B550 push eax; ret 7_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040B550 push eax; ret 7_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 11_2_0040B550 push eax; ret 11_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 11_2_0040B550 push eax; ret 11_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 11_2_0040B50D push ecx; ret 11_2_0040B51D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_0040289F
Binary contains a suspicious time stamp
Source: lKJbVguaav.exe Static PE information: 0xCA7188B4 [Tue Aug 17 15:03:16 2077 UTC]
PE file contains an invalid checksum
Source: svchost.exe.0.dr Static PE information: real checksum: 0xe06cf should be: 0xd1df1
Source: 7ADA33B7.exe.0.dr Static PE information: real checksum: 0xe06cf should be: 0xd1df1
Source: lKJbVguaav.exe Static PE information: real checksum: 0xe06cf should be: 0xd1df1

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe File created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Jump to dropped file
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe File created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe File created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe File created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Jump to dropped file
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Program Files\Common Files\system\E59A6148\svchost.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Jump to dropped file
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe\:Zone.Identifier:$DATA Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\lKJbVguaav.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 7_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\lKJbVguaav.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.0.lKJbVguaav.exe.4297e30.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4297e30.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4217e10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.4217e10.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.56f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.41d7df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.56f0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.41b7dd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\lKJbVguaav.exe Section loaded: OutputDebugStringW count: 1955
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Section loaded: OutputDebugStringW count: 3911
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Section loaded: OutputDebugStringW count: 3911
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLUSER
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6724 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252 Thread sleep count: 2098 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4864 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6240 Thread sleep count: 41 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468 Thread sleep count: 874 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260 Thread sleep count: 1280 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 844 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6636 Thread sleep count: 1384 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6000 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3980 Thread sleep count: 849 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1284 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5036 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776 Thread sleep count: 1653 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4944 Thread sleep count: 1214 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5768 Thread sleep count: 38 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6152 Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6220 Thread sleep count: 3296 > 30
Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6220 Thread sleep count: 6484 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6384 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2092 Thread sleep count: 1299 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5996 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4964 Thread sleep count: 801 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2904 Thread sleep count: 457 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668 Thread sleep count: 342 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852 Thread sleep count: 449 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4356 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4356 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5768 Thread sleep count: 322 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568 Thread sleep count: 159 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1316 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4196 Thread sleep count: 61 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6756 Thread sleep count: 54 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6820 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\lKJbVguaav.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2481 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2098
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1384
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 849
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1653
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1214
Source: C:\Users\user\Desktop\lKJbVguaav.exe Window / User API: threadDelayed 3296
Source: C:\Users\user\Desktop\lKJbVguaav.exe Window / User API: threadDelayed 6484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1005
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1299
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 449
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Contains capabilities to detect virtual machines
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\lKJbVguaav.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\lKJbVguaav.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: VMware
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: vmware
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: VMwareVBoxARun using valid operating system
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: m&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: m"SOFTWARE\VMware, Inc.\VMware Tools
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: m)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmp Binary or memory string: m'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: CodeIntegrityInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_0040289F
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\lKJbVguaav.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exe Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 7_2_00401C26
Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Progman
Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Users\user\Desktop\lKJbVguaav.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Users\user\Desktop\lKJbVguaav.exe VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files\Common Files\system\E59A6148\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\Desktop\lKJbVguaav.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe Code function: 7_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 7_2_0040A272

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.40c7f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.40c7f98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483912 Sample: lKJbVguaav Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 95 canonicalizer.ucsuri.tcs 2->95 97 Found malware configuration 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 Sigma detected: Powershell adding suspicious path to exclusion list 2->101 103 11 other signatures 2->103 9 lKJbVguaav.exe 9 11 2->9         started        13 svchost.exe 2->13         started        15 7ADA33B7.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\...\7ADA33B7.exe, PE32 9->77 dropped 79 C:\Program Files\Common Files\...\svchost.exe, PE32 9->79 dropped 81 C:\Users\...\7ADA33B7.exe:Zone.Identifier, ASCII 9->81 dropped 89 2 other files (1 malicious) 9->89 dropped 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->113 115 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->115 119 4 other signatures 9->119 20 7ADA33B7.exe 9->20         started        24 WerFault.exe 9->24         started        32 10 other processes 9->32 83 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->83 dropped 117 Adds a directory exclusion to Windows Defender 13->117 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        34 4 other processes 13->34 85 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 15->85 dropped 36 6 other processes 15->36 91 127.0.0.1 unknown unknown 17->91 93 192.168.2.1, 274 unknown unknown 17->93 87 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 17->87 dropped 30 powershell.exe 17->30         started        38 7 other processes 17->38 file6 signatures7 process8 file9 73 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 20->73 dropped 105 Adds a directory exclusion to Windows Defender 20->105 40 powershell.exe 20->40         started        49 5 other processes 20->49 75 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->75 dropped 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->107 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        51 9 other processes 32->51 53 4 other processes 34->53 55 6 other processes 36->55 57 4 other processes 38->57 signatures10 process11 signatures12 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->109 59 conhost.exe 40->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 conhost.exe 49->65         started        67 conhost.exe 49->67         started        69 AdvancedRun.exe 51->69         started        71 conhost.exe 53->71         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
canonicalizer.ucsuri.tcs unknown unknown