Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bfaQ3h8zEO.exe

Overview

General Information

Sample name:bfaQ3h8zEO.exe
renamed because original name is a hash value
Original sample name:7e0f3c8d1ec18211d01fb37caa442947.exe
Analysis ID:1448025
MD5:7e0f3c8d1ec18211d01fb37caa442947
SHA1:b7d0aa951688eb8006bdd95d75d17e91fc3466ec
SHA256:0d1b662f8b753b60f1229dbf31b2ae6e381427a6c7d3e39d748e9ea8500406c8
Tags:exe
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Sigma detected: Suspicious Script Execution From Temp Folder
Uses powercfg.exe to modify the power settings
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • bfaQ3h8zEO.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\bfaQ3h8zEO.exe" MD5: 7E0F3C8D1EC18211D01FB37CAA442947)
    • bfaQ3h8zEO.exe (PID: 6368 cmdline: "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe" MD5: EE5C924CD710BEBD6B3F2CA38F3450C9)
      • winsvc.exe (PID: 5780 cmdline: "C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe" MD5: EE5C924CD710BEBD6B3F2CA38F3450C9)
        • powershell.exe (PID: 3756 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\"" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6956 cmdline: "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • powershell.exe (PID: 592 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 2992 cmdline: "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • powershell.exe (PID: 7024 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\"" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5020 cmdline: "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service." MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • powershell.exe (PID: 6664 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 7084 cmdline: "C:\Windows\system32\sc.exe" start winsvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • svchost.exe (PID: 5432 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • winsvc.exe (PID: 6844 cmdline: C:\Windows\system32\winsvc.exe MD5: EE5C924CD710BEBD6B3F2CA38F3450C9)
    • powershell.exe (PID: 1832 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\"" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7068 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\"" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2740 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6924 cmdline: "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powershell.exe (PID: 5024 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5588 cmdline: "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powershell.exe (PID: 6360 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 7104 cmdline: "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powershell.exe (PID: 5928 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4232 cmdline: "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powershell.exe (PID: 6856 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3160 cmdline: "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • taskkill.exe (PID: 5328 cmdline: "taskkill.exe" "/F" "/IM" "winnet.exe" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 2100 cmdline: "taskkill.exe" "/F" "/IM" "winnet.exe" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 6460 cmdline: "taskkill.exe" "/F" "/IM" "wincfg.exe" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 5088 cmdline: "taskkill.exe" "/F" "/IM" "wincfg.exe" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 528 cmdline: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\"", CommandLine: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\winsvc.exe, ParentImage: C:\Windows\System32\winsvc.exe, ParentProcessId: 6844, ParentProcessName: winsvc.exe, ProcessCommandLine: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\"", ProcessId: 7068, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service", CommandLine: "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\"", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service", ProcessId: 6956, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\"", CommandLine: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\"", CommandLine|base64offset|contains: K+-z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe", ParentImage: C:\Windows\System32\winsvc.exe, ParentProcessId: 5780, ParentProcessName: winsvc.exe, ProcessCommandLine: "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\"", ProcessId: 3756, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5432, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: bfaQ3h8zEO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 26.165.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: 26.165.165.52.in-addr.arpa
Source: bfaQ3h8zEO.exe, 00000000.00000003.2180039755.00007EF482D60000.00000004.00001000.00020000.00000000.sdmp, bfaQ3h8zEO.exe, 00000002.00000002.2352478747.00007FF6A9B2D000.00000002.00000001.01000000.00000004.sdmp, winsvc.exe, 00000004.00000002.2825499054.00007FF76537D000.00000002.00000001.01000000.00000007.sdmp, winsvc.exe, 00000013.00000000.2599440672.00007FF76537D000.00000002.00000001.01000000.00000007.sdmp, wincfg.exe.19.drString found in binary or memory: http://https:///&?=-_.~:
Source: powershell.exe, 00000014.00000002.2883349961.00000283266A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.2829790669.0000028316867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.2561764369.000002A29B794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.000002916122B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2829790669.0000028316641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD93541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E95205B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A2808F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.2829790669.0000028316867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000019.00000002.3150068898.000001BDAB6E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000006.00000002.2561764369.000002A29B723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000006.00000002.2561764369.000002A29B767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F80049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F8005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.000002916126D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.0000029161235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2829790669.0000028316641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD9356B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD93557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA0005B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA00031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E952087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E95209B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A2808F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A28090B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.2588214109.000002917933F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000014.00000002.2883349961.00000283266A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: wincfg.exe.19.drString found in binary or memory: https://www.haskell.org/ghc/reportabug

System Summary

barindex
Uses powercfg.exe to modify the power settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\system32\.coDB1C.tmpJump to behavior
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\system32\winnet.exeJump to behavior
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\system32\wincfg.exeJump to behavior
Source: C:\Windows\System32\winsvc.exeFile deleted: C:\Windows\Temp\temp-960258e834dc9feb\oJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD344E579D20_2_00007FFD344E579D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD344E5B7720_2_00007FFD344E5B77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D707323_2_00007FFD344D7073
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D71F223_2_00007FFD344D71F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D5EF223_2_00007FFD344D5EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D5BA023_2_00007FFD344D5BA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD344F18D225_2_00007FFD344F18D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD344F268825_2_00007FFD344F2688
Source: bfaQ3h8zEO.exeStatic PE information: Resource name: RT_VERSION type: VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79
Source: wincfg.exe.19.drStatic PE information: Number of sections : 17 > 10
Source: bfaQ3h8zEO.exeStatic PE information: Number of sections : 17 > 10
Source: .coDB1C.tmp.2.drStatic PE information: Number of sections : 17 > 10
Source: bfaQ3h8zEO.exe.0.drStatic PE information: Number of sections : 17 > 10
Source: winnet.exe.19.drStatic PE information: Number of sections : 11 > 10
Source: wincfg.exe.19.drBinary string: \\.\\\?\\Device\UNC\\\%ls%ls%lsccs=UNICODEccs=UTF-8ccs=UTF-16LE
Source: powershell.exe, 0000000D.00000002.2583038868.000002915F376000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: on.SLN
Source: classification engineClassification label: mal68.evad.winEXE@73/48@2/0
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeFile created: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648Jump to behavior
Source: bfaQ3h8zEO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winnet.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winnet.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wincfg.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wincfg.exe")
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile read: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\bfaQ3h8zEO.exe "C:\Users\user\Desktop\bfaQ3h8zEO.exe"
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeProcess created: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeProcess created: C:\Windows\System32\winsvc.exe "C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start winsvc
Source: unknownProcess created: C:\Windows\System32\winsvc.exe C:\Windows\system32\winsvc.exe
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeProcess created: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeProcess created: C:\Windows\System32\winsvc.exe "C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start winsvcJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635cJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\System32\winsvc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: bfaQ3h8zEO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: bfaQ3h8zEO.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: bfaQ3h8zEO.exeStatic file information: File size 39188480 > 1048576
Source: bfaQ3h8zEO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xafc000
Source: bfaQ3h8zEO.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17c5800
Source: bfaQ3h8zEO.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1e4800
Source: bfaQ3h8zEO.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: bfaQ3h8zEO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: bfaQ3h8zEO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winnet.exe.19.drStatic PE information: real checksum: 0x91e931 should be: 0x92754c
Source: bfaQ3h8zEO.exeStatic PE information: section name: .buildid
Source: bfaQ3h8zEO.exeStatic PE information: section name: /4
Source: bfaQ3h8zEO.exeStatic PE information: section name: /18
Source: bfaQ3h8zEO.exeStatic PE information: section name: /33
Source: bfaQ3h8zEO.exeStatic PE information: section name: /46
Source: bfaQ3h8zEO.exeStatic PE information: section name: /58
Source: bfaQ3h8zEO.exeStatic PE information: section name: /70
Source: bfaQ3h8zEO.exeStatic PE information: section name: /81
Source: bfaQ3h8zEO.exeStatic PE information: section name: /95
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: .buildid
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /4
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /18
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /33
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /46
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /58
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /70
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /81
Source: bfaQ3h8zEO.exe.0.drStatic PE information: section name: /95
Source: .coDB1C.tmp.2.drStatic PE information: section name: .buildid
Source: .coDB1C.tmp.2.drStatic PE information: section name: /4
Source: .coDB1C.tmp.2.drStatic PE information: section name: /18
Source: .coDB1C.tmp.2.drStatic PE information: section name: /33
Source: .coDB1C.tmp.2.drStatic PE information: section name: /46
Source: .coDB1C.tmp.2.drStatic PE information: section name: /58
Source: .coDB1C.tmp.2.drStatic PE information: section name: /70
Source: .coDB1C.tmp.2.drStatic PE information: section name: /81
Source: .coDB1C.tmp.2.drStatic PE information: section name: /95
Source: winnet.exe.19.drStatic PE information: section name: .xdata
Source: wincfg.exe.19.drStatic PE information: section name: .buildid
Source: wincfg.exe.19.drStatic PE information: section name: /4
Source: wincfg.exe.19.drStatic PE information: section name: /18
Source: wincfg.exe.19.drStatic PE information: section name: /33
Source: wincfg.exe.19.drStatic PE information: section name: /46
Source: wincfg.exe.19.drStatic PE information: section name: /58
Source: wincfg.exe.19.drStatic PE information: section name: /70
Source: wincfg.exe.19.drStatic PE information: section name: /81
Source: wincfg.exe.19.drStatic PE information: section name: /95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD344C00BD pushad ; iretd 6_2_00007FFD344C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD344B00BD pushad ; iretd 10_2_00007FFD344B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD344B0B31 push E95B7ECCh; ret 10_2_00007FFD344B0B69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD344D00BD pushad ; iretd 13_2_00007FFD344D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D00BD pushad ; iretd 16_2_00007FFD344D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD343CD2A5 pushad ; iretd 20_2_00007FFD343CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD344E00BD pushad ; iretd 20_2_00007FFD344E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD343BD2A5 pushad ; iretd 23_2_00007FFD343BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D00BD pushad ; iretd 23_2_00007FFD344D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD344D357F push esp; retf 23_2_00007FFD344D3582
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD345A80A0 push eax; iretd 23_2_00007FFD345A80A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD345A7D3C push ebx; iretd 23_2_00007FFD345A7D3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD345A79CB push esi; iretd 23_2_00007FFD345A79CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD345A704D pushad ; iretd 23_2_00007FFD345A704E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFD344F00BD pushad ; iretd 25_2_00007FFD344F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD344D00BD pushad ; iretd 28_2_00007FFD344D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFD344B00BD pushad ; iretd 31_2_00007FFD344B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFD344B2005 push E95E5413h; ret 31_2_00007FFD344B2049

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeExecutable created and started: C:\Windows\system32\winsvc.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\System32\.coDB1C.tmpJump to dropped file
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeFile created: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\system32\.coDB1C.tmp (copy)Jump to dropped file
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\System32\winnet.exeJump to dropped file
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\System32\wincfg.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\system32\winsvc.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\System32\.coDB1C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\system32\.coDB1C.tmp (copy)Jump to dropped file
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\System32\winnet.exeJump to dropped file
Source: C:\Windows\System32\winsvc.exeFile created: C:\Windows\System32\wincfg.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeFile created: C:\Windows\system32\winsvc.exe (copy)Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeCode function: 0_3_0000029C173FAB8C sldt word ptr [eax-4D2DAB18h]0_3_0000029C173FAB8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1275Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1703Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 904Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 862Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1501Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6966Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2765Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6071Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3527Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1216Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 551Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 932Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 454Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1255
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1192
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 598
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8016
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1574
Source: C:\Windows\System32\winsvc.exeDropped PE file which has not been started: C:\Windows\System32\winnet.exeJump to dropped file
Source: C:\Windows\System32\winsvc.exeDropped PE file which has not been started: C:\Windows\System32\wincfg.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432Thread sleep count: 1275 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432Thread sleep count: 1703 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 828Thread sleep count: 989 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep count: 297 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5932Thread sleep count: 904 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1924Thread sleep count: 862 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3352Thread sleep count: 1501 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3352Thread sleep count: 294 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912Thread sleep count: 6966 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep count: 2765 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5936Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep count: 6071 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep count: 3527 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4552Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep count: 1216 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep count: 551 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000Thread sleep count: 932 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964Thread sleep count: 454 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6932Thread sleep count: 1255 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 340Thread sleep count: 357 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1668Thread sleep count: 989 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep count: 48 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4412Thread sleep count: 1192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2532Thread sleep count: 598 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2220Thread sleep count: 8016 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1864Thread sleep count: 1574 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: bfaQ3h8zEO.exeBinary or memory string: vmcI ~Zyd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""Jump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeProcess created: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeProcess created: C:\Windows\System32\winsvc.exe "C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start winsvcJump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635cJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\powercfg.exe "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "winnet.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Windows\System32\winsvc.exeProcess created: C:\Windows\System32\taskkill.exe "taskkill.exe" "/F" "/IM" "wincfg.exe"Jump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Windows\System32\.coDB1C.tmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Windows\System32\.coDB1C.tmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Windows\System32\.coDB1C.tmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exeQueries volume information: C:\Windows\System32\.coDB1C.tmp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\e VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-960258e834dc9feb\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0ccbc5db50c71fc1\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-58d4539a148483b4\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-cef0f84caead9618 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-cef0f84caead9618\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-cef0f84caead9618\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-cef0f84caead9618\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-d5bedc39722a417e\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-0bf3d664ffd651be\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-4dc56a639e291c66\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7af85bdcd6f49bbb VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7af85bdcd6f49bbb\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7af85bdcd6f49bbb\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7af85bdcd6f49bbb\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-dc349aaef70f7b7f\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-7f5b67a696b2c511\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-316681d3e5baa519 VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-316681d3e5baa519\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-316681d3e5baa519\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-316681d3e5baa519\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\System32\winnet.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\System32\winnet.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\System32\wincfg.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\System32\wincfg.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\i VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\o VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\e VolumeInformationJump to behavior
Source: C:\Windows\System32\winsvc.exeQueries volume information: C:\Windows\Temp\temp-ee441b3474b4fce4\e VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Windows Service		12
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		11
Process Injection		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448025 Sample: bfaQ3h8zEO.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 68 84 26.165.165.52.in-addr.arpa 2->84 86 206.23.85.13.in-addr.arpa 2->86 92 Antivirus detection for URL or domain 2->92 94 Sigma detected: Suspicious Script Execution From Temp Folder 2->94 10 winsvc.exe 50 2->10         started        14 bfaQ3h8zEO.exe 2 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 78 C:\Windows\System32\winnet.exe, PE32+ 10->78 dropped 80 C:\Windows\System32\wincfg.exe, PE32+ 10->80 dropped 98 Adds a directory exclusion to Windows Defender 10->98 18 powershell.exe 23 10->18         started        21 powershell.exe 23 10->21         started        23 powershell.exe 10->23         started        28 9 other processes 10->28 82 C:\Users\user\AppData\...\bfaQ3h8zEO.exe, PE32+ 14->82 dropped 25 bfaQ3h8zEO.exe 1 14->25         started        signatures6 process7 file8 88 Loading BitLocker PowerShell Module 18->88 30 conhost.exe 18->30         started        32 conhost.exe 21->32         started        34 conhost.exe 23->34         started        72 C:\Windows\system32\winsvc.exe (copy), PE32+ 25->72 dropped 74 C:\Windows\system32\.coDB1C.tmp (copy), PE32+ 25->74 dropped 76 C:\Windows\System32\.coDB1C.tmp, PE32+ 25->76 dropped 90 Drops executables to the windows directory (C:\Windows) and starts them 25->90 36 winsvc.exe 16 25->36         started        39 conhost.exe 28->39         started        41 powercfg.exe 1 28->41         started        43 conhost.exe 28->43         started        45 11 other processes 28->45 signatures9 process10 signatures11 96 Adds a directory exclusion to Windows Defender 36->96 47 powershell.exe 7 36->47         started        50 powershell.exe 7 36->50         started        52 powershell.exe 7 36->52         started        54 powershell.exe 7 36->54         started        process12 signatures13 100 Uses powercfg.exe to modify the power settings 47->100 56 conhost.exe 47->56         started        58 sc.exe 1 47->58         started        60 conhost.exe 50->60         started        62 sc.exe 1 50->62         started        64 conhost.exe 52->64         started        66 sc.exe 1 52->66         started        68 conhost.exe 54->68         started        70 sc.exe 1 54->70         started        process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bfaQ3h8zEO.exe11%ReversingLabsWin64.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
26.165.165.52.in-addr.arpa1%VirustotalBrowse
206.23.85.13.in-addr.arpa1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.microsoft.co0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://www.microsoft.0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://https:///&?=-_.~:0%Avira URL Cloudsafe
https://www.haskell.org/ghc/reportabug0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
https://www.haskell.org/ghc/reportabug0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
26.165.165.52.in-addr.arpa
unknown
unknownfalseunknown
206.23.85.13.in-addr.arpa
unknown
unknownfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://https:///&?=-_.~:bfaQ3h8zEO.exe, 00000000.00000003.2180039755.00007EF482D60000.00000004.00001000.00020000.00000000.sdmp, bfaQ3h8zEO.exe, 00000002.00000002.2352478747.00007FF6A9B2D000.00000002.00000001.01000000.00000004.sdmp, winsvc.exe, 00000004.00000002.2825499054.00007FF76537D000.00000002.00000001.01000000.00000007.sdmp, winsvc.exe, 00000013.00000000.2599440672.00007FF76537D000.00000002.00000001.01000000.00000007.sdmp, wincfg.exe.19.drfalse
  • Avira URL Cloud: safe
unknown
http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.2883349961.00000283266A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmptrue
  • URL Reputation: malware
unknown
https://go.microsoft.copowershell.exe, 0000000D.00000002.2588214109.000002917933F000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.2829790669.0000028316867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.2829790669.0000028316867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://contoso.com/powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.2883349961.00000283266A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.haskell.org/ghc/reportabugwincfg.exe.19.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Iconpowershell.exe, 00000017.00000002.3034922976.0000027090066000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.microsoft.powershell.exe, 00000019.00000002.3150068898.000001BDAB6E7000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aka.ms/pscore6powershell.exe, 00000006.00000002.2561764369.000002A29B723000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aka.ms/pscore68powershell.exe, 00000006.00000002.2561764369.000002A29B767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F80049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F8005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.000002916126D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.0000029161235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2829790669.0000028316641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD9356B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD93557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA0005B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA00031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E952087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E95209B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A2808F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A28090B000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2561764369.000002A29B794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2571020700.0000028F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2584191271.000002916122B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2806598724.0000022030D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2829790669.0000028316641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2928968843.0000027080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3123954778.000001BD93541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3166174331.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3221871192.000001E95205B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3265994018.000002A2808F6000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.2928968843.0000027080227000.00000004.00000800.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1448025
Start date and time:2024-05-27 14:52:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 8m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:51
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:bfaQ3h8zEO.exe
renamed because original name is a hash value
Original Sample Name:7e0f3c8d1ec18211d01fb37caa442947.exe
Detection:MAL
Classification:mal68.evad.winEXE@73/48@2/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 27
  • Number of non-executed functions: 3
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target bfaQ3h8zEO.exe, PID 6260 because there are no executed function
  • Execution Graph export aborted for target powershell.exe, PID 1832 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 2740 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 3756 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 5024 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 592 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 6360 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 6664 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 7024 because it is empty
  • Execution Graph export aborted for target powershell.exe, PID 7068 because it is empty
  • Execution Graph export aborted for target winsvc.exe, PID 5780 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
08:54:14API Interceptor55x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):0.34726597513537405
Encrypted:false
SSDEEP:3:Nlll:Nll
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:false
Preview:@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gziewu0.i0x.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmnzm1pw.3f5.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fs5db0ae.0j0.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyne1bvm.xhz.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nh31xnjt.3lt.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omuin5rf.1vs.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2hlzony.ssk.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x40m0gvj.zbe.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe

Download File
Process:C:\Users\user\Desktop\bfaQ3h8zEO.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44055040
Entropy (8bit):6.5693074960067275
Encrypted:false
SSDEEP:393216:06pUjJKQSoCsjjd3s1OnV3rjL/i6WTUevd2ZhO:hpUDLC+3s1obXWT9vdmh
MD5:EE5C924CD710BEBD6B3F2CA38F3450C9
SHA1:BF06C5D4DFA7A0EDA88613D7349ABD8B372CD531
SHA-256:0F11BD40958528256D4BF12CEFDC1761ABBC7C0AA1BED56D7CF6760E873E2603
SHA-512:76869CAF8008EE2976122FF61A69F84D2F0B35B215E607744E98AF133674AB091966DDDB6D8719B69EF815A884617F466CAFEEAA7A41492D45A5D840E40F5B65
Malicious:true
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...c.Tf.".../...."......*..........P..........@............................. ............`...................................................[......@..(.......xr...........P.......p\.......................?.(.....................[..............................text....).......*.................. ..`.rdata...)...@...*...0..............@..@.buildid5....p\......Z\.............@..@.data.....4...\...3..\\.............@....pdata..xr.......t...*..............@..@.rdata..............................@....tls.........0......................@....rsrc...(....@......................@..@.reloc.......P......................@..B/4.......B...`...D.................@..B/18..... ...........................@..B/33.................................@..B/46......!......"..................@..B/58.................................@..B/70......8.......:..................@..B/81......<...@..

C:\Users\user\AppData\Local\Temp\temp-2c7b90dba33a7b4f\o

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):35
Entropy (8bit):4.10144963262962
Encrypted:false
SSDEEP:3:iWnXTMGMDMCVXtv:irGMQCVXd
MD5:94BBF4528D6E6523B8816B8827253392
SHA1:225F1B03851EAF7C6C3CA3A6D80B887D10A989D6
SHA-256:278CAE689D7DD61A74BC8DBC11F3ADAA8BACD956B5CB627D958CD62E01EB7A03
SHA-512:38A4A576377FC1183FB833132B810628026E8FE096CE941E4B0395F3C059A946BC4CC01A420280CAE5B52262C80AC918B1F21C12B011618E65D2D8EB45EBC3CF
Malicious:false
Preview:[SC] ChangeServiceConfig2 SUCCESS..

C:\Users\user\AppData\Local\Temp\temp-33776c65875f50bf\o

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):35
Entropy (8bit):4.10144963262962
Encrypted:false
SSDEEP:3:iWnXTMGMDMCVXtv:irGMQCVXd
MD5:94BBF4528D6E6523B8816B8827253392
SHA1:225F1B03851EAF7C6C3CA3A6D80B887D10A989D6
SHA-256:278CAE689D7DD61A74BC8DBC11F3ADAA8BACD956B5CB627D958CD62E01EB7A03
SHA-512:38A4A576377FC1183FB833132B810628026E8FE096CE941E4B0395F3C059A946BC4CC01A420280CAE5B52262C80AC918B1F21C12B011618E65D2D8EB45EBC3CF
Malicious:false
Preview:[SC] ChangeServiceConfig2 SUCCESS..

C:\Users\user\AppData\Local\Temp\temp-bc64bd95903f6548\o

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):28
Entropy (8bit):3.678439190827718
Encrypted:false
SSDEEP:3:4A4AnXjzSv:4HAnXjg
MD5:A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:false
Preview:[SC] CreateService SUCCESS..

C:\Users\user\AppData\Local\Temp\temp-efebf5d6b25fadc7\o

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):422
Entropy (8bit):3.5673432491403516
Encrypted:false
SSDEEP:6:lg3D/8FfgVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+Nms2fq:lgANgV0qVbH2suZLQqOVKmVq
MD5:C0B3A6BAE6796B406F06649A6583276D
SHA1:768612B89430869843D97BD64EBFBD7EF7598A72
SHA-256:47A042358D3A2D123C4BA917CF7AE3822E88A15B22FD2798BDEE2E9A9881D337
SHA-512:7CF1AE9821B1DE7DA4036C9DED29AEDC00D5391B411F9B93B24CA1DB45097DCF23F40F34E9F0F74E9B117E337CEA13370E07A8AAAE0BBB9D31E84FC25F9A2303
Malicious:false
Preview:..SERVICE_NAME: winsvc .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 6844.. FLAGS : ..

C:\Windows\System32\.coDB1C.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44055040
Entropy (8bit):6.5693074960067275
Encrypted:false
SSDEEP:393216:06pUjJKQSoCsjjd3s1OnV3rjL/i6WTUevd2ZhO:hpUDLC+3s1obXWT9vdmh
MD5:EE5C924CD710BEBD6B3F2CA38F3450C9
SHA1:BF06C5D4DFA7A0EDA88613D7349ABD8B372CD531
SHA-256:0F11BD40958528256D4BF12CEFDC1761ABBC7C0AA1BED56D7CF6760E873E2603
SHA-512:76869CAF8008EE2976122FF61A69F84D2F0B35B215E607744E98AF133674AB091966DDDB6D8719B69EF815A884617F466CAFEEAA7A41492D45A5D840E40F5B65
Malicious:false
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...c.Tf.".../...."......*..........P..........@............................. ............`...................................................[......@..(.......xr...........P.......p\.......................?.(.....................[..............................text....).......*.................. ..`.rdata...)...@...*...0..............@..@.buildid5....p\......Z\.............@..@.data.....4...\...3..\\.............@....pdata..xr.......t...*..............@..@.rdata..............................@....tls.........0......................@....rsrc...(....@......................@..@.reloc.......P......................@..B/4.......B...`...D.................@..B/18..... ...........................@..B/33.................................@..B/46......!......"..................@..B/58.................................@..B/70......8.......:..................@..B/81......<...@..

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:modified
Size (bytes):64
Entropy (8bit):0.34726597513537405
Encrypted:false
SSDEEP:3:Nlll:Nll
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:false
Preview:@...e...........................................................

C:\Windows\System32\wincfg.exe

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):36044288
Entropy (8bit):5.86376063013227
Encrypted:false
SSDEEP:196608:TqECiEvN7AVEENPcheAcqgHsnw+RMUGwXo2ElDIy5eZwDIYj7IYe60:TZCpAVED5FHWcy5eZwDIWIY50
MD5:AA9CB7626B2A7DD8B2DA2C15A456A5C6
SHA1:1A0112EA8D90C22D9DF8A0D89FBCAF0288683E7C
SHA-256:C27EB33AE53CFB1CB9ACAFDB501799126A67A31D6749DC2DFFE0F2D12015D9B6
SHA-512:D379527FE96421C85393E1E892D2C723B2B83726EFCA637C166D299D5237C1B1C82F099EB1BF9E935D4918F184CB0A0805E3CFE3AD4B43A5ADFFE2531C62DDCB
Malicious:false
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Tf..2..g...."......*....t.....P..........@..............................&...........`.................................................(........P..0.......Hf...........`..X............................G..(...................p#..@............................text...F(.......*.................. ..`.rdata..X.+..@....+..0..............@..@.buildid5...........................@..@.data...`.8......z8.................@....pdata..Hf.......h...B..............@..@.rdata....... ......................@....tls.........@......................@....rsrc...0....P......................@..@.reloc..X....`......................@..B/4.......?...@!..@.... .............@..B/18..... .....!....... .............@..B/33...........!....... .............@..B/46.....S.....!....... .............@..B/58...........".......".............@..B/70......3....#..4....".............@..B/81......<....&.

C:\Windows\System32\winnet.exe

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:dropped
Size (bytes):9556480
Entropy (8bit):6.57630137882343
Encrypted:false
SSDEEP:98304:qS6/G31ALxFCEhIF1R94TS5++x81d9kpiB7T/jrpayDHDG9P:V31ALKDXz+BNDK
MD5:2FDBF4BA6AB24CF44AA0CC08CD77CA66
SHA1:DF5E034BA45A932B9F5D3ED7ADC4A71E0B376984
SHA-256:FCD362E0632B35DAD13A87F09EA6DA4D07FA89516F42D64236D2CC3E3B2B725B
SHA-512:81D73F7540EDE7337922DC18FC6B110C87F621BC0349C3FA17F50D1CB924B0D9B30A4A772B2D548238B65A1BE43D458F1991320E7308E608C6CF40CCC3E59A51
Malicious:false
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...>aKf...............)..l...................@....................................1....`... ..............................................`...7..........................................................u..(...................8m..H............................text...0.l.......l.................`..`.data.........l.......l.............@....rdata........m.......m.............@..@.pdata..............................@..@.xdata..P...........................@..@.bss....................................idata...7...`...8..................@....CRT....h..........................@....tls................................@....rsrc..............................@..@.reloc............................@..B........................................................................................................................................................................

C:\Windows\Temp\__PSScriptPolicyTest_2ilh0bzc.ygw.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_42uokbnl.jai.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_5imux45v.jmo.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_b1mdsig3.k4j.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_b4co2ry0.vqf.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_cj2pf4zt.hsx.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_eawg5jak.dsn.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_fbu0xf1d.gy1.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:modified
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_fwxp1l3s.lkt.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_hamskj1i.ynv.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_is4b3ltt.oof.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_j2tadfsq.d1w.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_judjry2p.4il.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_l0b1ownp.mnb.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_l21bh0mw.nzt.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_mhsfgset.www.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_rm13d1ab.vyq.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_uz1wir2w.5dl.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_w3ekrqze.4bc.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_w3g0n4vz.gtx.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_z1dogdu1.ii5.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_zurwgxk5.23w.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\temp-0ccbc5db50c71fc1\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):866
Entropy (8bit):5.008678710476478
Encrypted:false
SSDEEP:24:nt0vndauf/ko+3bdh5wt0gVuf/ko+3bdh5m:nticQ+3OtZQ+3U
MD5:636776BA74B0D57E8BEEE7DC00BACBE4
SHA1:021219443A273F7F7C5A325633D4A3AB94C30467
SHA-256:FD1DB78A598F729D19CFE855AAC867365F03B5C2F78FF9E069454DF82FA07603
SHA-512:0F473872FC6CA65462243B5363A550894FBE9EFADA2AD8CC222F3D93EB733E8F2EF4922C864AC47C735A81A524015AF501B290CF37358C9BE1684BB6CF8C65D7
Malicious:false
Preview:Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath "C:\Windows\Temp"..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:1..+ Add-MpPreference -ExclusionPath "C:\Windows\Temp"..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..

C:\Windows\Temp\temp-316681d3e5baa519\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.4622883690707695
Encrypted:false
SSDEEP:3:RLg9duHSB9sLKUe9y:RLg9duyTke9y
MD5:EBB385DFF450B9D1BE4AC19BEEF30A07
SHA1:734B804E7BCDF92102FF73D1F5C7739A4A2E2637
SHA-256:A870C1BCA002E57BA38F6B3844FA9216E2D3325C34AF82497C9D38D6E16500E7
SHA-512:B2E78D40086C6A48F5CB2AD31689BC6F7574663A45A4B4BA67112F1DC5FF162263CB5779F89F34BEB8D793CCF6DC20A60DBD9C882E98E84551CE22F251EF45EB
Malicious:false
Preview:ERROR: The process "wincfg.exe" not found...

C:\Windows\Temp\temp-7af85bdcd6f49bbb\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.351953074246375
Encrypted:false
SSDEEP:3:RLg9duHS70CHxKUe9y:RLg9duyXe9y
MD5:0932D5415E2B24853A94F8F757DB0F5C
SHA1:2A3797E1EF38A9C01A8029A10BE4117F812EF34C
SHA-256:44929C5D3FF265B9E787408D31A7EED62EAC4871345383506FBF8D03D775FDB8
SHA-512:12A48661A7920958058387174DA2512168411B4D9D89F131FB0559B5816BF6A9DAF9FF514F570277097AD6E1D45CE9336F877F8C059C6979E3A59C6C0F2CBAF1
Malicious:false
Preview:ERROR: The process "winnet.exe" not found...

C:\Windows\Temp\temp-7f5b67a696b2c511\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.4622883690707695
Encrypted:false
SSDEEP:3:RLg9duHSB9sLKUe9y:RLg9duyTke9y
MD5:EBB385DFF450B9D1BE4AC19BEEF30A07
SHA1:734B804E7BCDF92102FF73D1F5C7739A4A2E2637
SHA-256:A870C1BCA002E57BA38F6B3844FA9216E2D3325C34AF82497C9D38D6E16500E7
SHA-512:B2E78D40086C6A48F5CB2AD31689BC6F7574663A45A4B4BA67112F1DC5FF162263CB5779F89F34BEB8D793CCF6DC20A60DBD9C882E98E84551CE22F251EF45EB
Malicious:false
Preview:ERROR: The process "wincfg.exe" not found...

C:\Windows\Temp\temp-960258e834dc9feb\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):882
Entropy (8bit):5.022527784857279
Encrypted:false
SSDEEP:24:nt0vndau1/ko+3bdh5wt0gVu1/ko+3bdh5m:nticq+3OtZq+3U
MD5:819A5506BB212167BCA65242C37D5F38
SHA1:75A4B2162DF84C294ED47D9CCA340B961396EA37
SHA-256:06CC134FDA3CE0C7AD05E86CE253A0B97383059A4B010051EAD8BE62CD7F4AB6
SHA-512:79337C936FAE6D96A50D5D1D6D42C6706AB5E6B36F02CA52524569E301D647EF0C0AE6FCDDB80FB1933A8B0C48C6913BCF27A40B67599C739699B627B86D339A
Malicious:false
Preview:Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath "C:\Windows\system32"..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:1..+ Add-MpPreference -ExclusionPath "C:\Windows\system32"..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..

C:\Windows\Temp\temp-dc349aaef70f7b7f\e

Download File
Process:C:\Windows\System32\winsvc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.351953074246375
Encrypted:false
SSDEEP:3:RLg9duHS70CHxKUe9y:RLg9duyXe9y
MD5:0932D5415E2B24853A94F8F757DB0F5C
SHA1:2A3797E1EF38A9C01A8029A10BE4117F812EF34C
SHA-256:44929C5D3FF265B9E787408D31A7EED62EAC4871345383506FBF8D03D775FDB8
SHA-512:12A48661A7920958058387174DA2512168411B4D9D89F131FB0559B5816BF6A9DAF9FF514F570277097AD6E1D45CE9336F877F8C059C6979E3A59C6C0F2CBAF1
Malicious:false
Preview:ERROR: The process "winnet.exe" not found...

C:\Windows\system32\.coDB1C.tmp (copy)

Download File
Process:C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44055040
Entropy (8bit):6.5693074960067275
Encrypted:false
SSDEEP:393216:06pUjJKQSoCsjjd3s1OnV3rjL/i6WTUevd2ZhO:hpUDLC+3s1obXWT9vdmh
MD5:EE5C924CD710BEBD6B3F2CA38F3450C9
SHA1:BF06C5D4DFA7A0EDA88613D7349ABD8B372CD531
SHA-256:0F11BD40958528256D4BF12CEFDC1761ABBC7C0AA1BED56D7CF6760E873E2603
SHA-512:76869CAF8008EE2976122FF61A69F84D2F0B35B215E607744E98AF133674AB091966DDDB6D8719B69EF815A884617F466CAFEEAA7A41492D45A5D840E40F5B65
Malicious:false
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...c.Tf.".../...."......*..........P..........@............................. ............`...................................................[......@..(.......xr...........P.......p\.......................?.(.....................[..............................text....).......*.................. ..`.rdata...)...@...*...0..............@..@.buildid5....p\......Z\.............@..@.data.....4...\...3..\\.............@....pdata..xr.......t...*..............@..@.rdata..............................@....tls.........0......................@....rsrc...(....@......................@..@.reloc.......P......................@..B/4.......B...`...D.................@..B/18..... ...........................@..B/33.................................@..B/46......!......"..................@..B/58.................................@..B/70......8.......:..................@..B/81......<...@..

C:\Windows\system32\winsvc.exe (copy)

Download File
Process:C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44055040
Entropy (8bit):6.5693074960067275
Encrypted:false
SSDEEP:393216:06pUjJKQSoCsjjd3s1OnV3rjL/i6WTUevd2ZhO:hpUDLC+3s1obXWT9vdmh
MD5:EE5C924CD710BEBD6B3F2CA38F3450C9
SHA1:BF06C5D4DFA7A0EDA88613D7349ABD8B372CD531
SHA-256:0F11BD40958528256D4BF12CEFDC1761ABBC7C0AA1BED56D7CF6760E873E2603
SHA-512:76869CAF8008EE2976122FF61A69F84D2F0B35B215E607744E98AF133674AB091966DDDB6D8719B69EF815A884617F466CAFEEAA7A41492D45A5D840E40F5B65
Malicious:false
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...c.Tf.".../...."......*..........P..........@............................. ............`...................................................[......@..(.......xr...........P.......p\.......................?.(.....................[..............................text....).......*.................. ..`.rdata...)...@...*...0..............@..@.buildid5....p\......Z\.............@..@.data.....4...\...3..\\.............@....pdata..xr.......t...*..............@..@.rdata..............................@....tls.........0......................@....rsrc...(....@......................@..@.reloc.......P......................@..B/4.......B...`...D.................@..B/18..... ...........................@..B/33.................................@..B/46......!......"..................@..B/58.................................@..B/70......8.......:..................@..B/81......<...@..

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.454631081248141
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:bfaQ3h8zEO.exe
File size:39'188'480 bytes
MD5:7e0f3c8d1ec18211d01fb37caa442947
SHA1:b7d0aa951688eb8006bdd95d75d17e91fc3466ec
SHA256:0d1b662f8b753b60f1229dbf31b2ae6e381427a6c7d3e39d748e9ea8500406c8
SHA512:c3fcbd890412c394afcd4a4fa72aba08605e6537960b03ec19dd145135ed859af8ec3ca5c186715271728c2426f1d1c4f1f4a7804d94e6bf54ded7401aa7ba51
SSDEEP:786432:ipMd3xukBTzYofeBo2q3Zf+W2K54lIQXgjmrQjhBcG:KM/NTz6q5ZQXgjmro
TLSH:A387AF259E5199CBC55CC031AF6C1DAE16577895823A37F30AB4C7326EA3B801DEE9F0
File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...O5Tf..... ...."..........2......P..........@..............................V.......V...`........................................

File Icon

Icon Hash:2d2e3797b32b2b99

Static PE Info

General

Entrypoint:0x140001150
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x6654354F [Mon May 27 07:25:03 2024 UTC]
TLS Callbacks:0x40125a80, 0x1, 0x40125b00, 0x1
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:dbdb3394f3635ff3c214941def324f31

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00AFBEC5h]
mov dword ptr [eax], 00000001h
call 00007F06E144FFDFh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 00000090h
xorps xmm0, xmm0
movaps esp+70h, dqword ptr [xmm0]
movaps esp+60h, dqword ptr [xmm0]
movaps esp+50h, dqword ptr [xmm0]
movaps esp+40h, dqword ptr [xmm0]
movaps esp+30h, dqword ptr [xmm0]
movaps esp+20h, dqword ptr [xmm0]
dec eax
mov dword ptr [esp+00000080h], 00000000h
dec esp
mov esi, dword ptr [00AFBE6Eh]
inc ecx
cmp dword ptr [esi], 00000000h
je 00007F06E144FFDDh
dec eax
lea ecx, dword ptr [esp+20h]
call dword ptr [022B8EFDh]
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov esi, dword ptr [eax+08h]
dec esp
mov edi, dword ptr [00AFBE71h]
xor eax, eax
dec ecx
cmpxchg dword ptr [edi], esi
sete bl
je 00007F06E144FFF7h
dec eax
cmp esi, eax
je 00007F06E144FFF2h
dec eax
mov edi, dword ptr [022B9189h]
nop
mov ecx, 000003E8h
call edi
xor eax, eax
dec ecx
cmpxchg dword ptr [edi], esi
sete bl
je 00007F06E144FFD7h
dec eax
cmp esi, eax
jne 00007F06E144FFBAh
dec eax
mov esi, dword ptr [00AFBE41h]
mov eax, dword ptr [esi]
cmp eax, 01h
jne 00007F06E144FFDEh
mov ecx, 0000001Fh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x22b8ec80x1e0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x24b30000xce4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x24ac0000x4fa4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b40000x5cd14.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x22c30000x1c.buildid
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x21586c80x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x22b9da80xd00.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xafbe760xafc0008bd4842ce68facc15d22d0ba114288ebunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xafd0000x17c567c0x17c5800032d97c0b94b945a9cb3a87245ef3a0cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.buildid0x22c30000x350x20059f507d5377be3a756236fca4b7d91c6False0.11328125data0.6723006689082892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x22c40000x1e80000x1e4800fc7ab3f47e3497ee32dc7f90200acd02False0.18257889093137256data3.8548585356431198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x24ac0000x4fa40x500067c7dbae933727e876f2f8f208b50ccdFalse0.542626953125data6.378398156793157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata0x24b10000xa000xa00a0c1edcdfe3a3a276a98b7c5d97f4a1fFalse0.28359375data4.1990899953372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x24b20000x180x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x24b30000xce40xe00bec5ab5cdcf151d284a9c3359c4a2263False0.27762276785714285data3.849285316622695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x24b40000x5cd140x5ce00acee8dc671287a3f9bc07defd012c320False0.11762649310228802data5.430712340480561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/40x25110000x3f080x4000c9e2cca9f3e4bbe91602c9797a3a2079False0.18218994140625data4.6199819704653375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/180x25150000x1200x200e1cd27e09b6224800b36b5530aed32f9False0.1796875data1.1303584613031892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/330x25160000xf00x200da4f41e61d23ccd67eec44de2d599957False0.23046875data2.452950612706351IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/460x25170000x118650x11a001908dd57f2b1fd879faeefccc2f43e17False0.5019392730496454data5.299868791478804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/580x25290000xf8bc0xfa001420f7cd50ebcc5db4487421e703bff8False0.41696875data5.866334594547823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/700x25390000x2330d0x2340019ff5c5de4ed98669726c244ac45dcbdFalse0.2282316600177305data2.7451409260214095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/810x255d0000x3ce00x3e007136b11571f6a87b6caeda5f96c3cf16False0.20041582661290322data1.9540991526019316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/950x25610000x8c520x8e00dc7c948cdbccf856a7fc880ff505fc56False0.1989161531690141data5.244423066283124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x24b31300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.2134476534296029
RT_GROUP_ICON0x24b39d80x14dataEnglishUnited States1.15
RT_VERSION0x24b39ec0x178VAX COFF executable, sections 52, created Sat Mar 7 05:34:56 1970, not stripped, version 79EnglishUnited States0.550531914893617
RT_MANIFEST0x24b3b640x17dASCII textEnglishUnited States0.5118110236220472

Imports

DLLImport
KERNEL32.dllAcquireSRWLockExclusive, AddDllDirectory, AddVectoredContinueHandler, AreFileApisANSI, AssignProcessToJobObject, Beep, CancelIoEx, CancelSynchronousIo, CloseHandle, CopyFileW, CreateDirectoryExW, CreateDirectoryW, CreateEventA, CreateEventW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeW, CreatePipe, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateTimerQueue, CreateTimerQueueTimer, CreateToolhelp32Snapshot, DefineDosDeviceW, DeleteCriticalSection, DeleteFileW, DeleteTimerQueueEx, DeleteTimerQueueTimer, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitThread, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationW, FindFirstFileW, FindNextChangeNotification, FindNextFileW, FlushConsoleInputBuffer, FlushFileBuffers, FormatMessageA, FormatMessageW, FreeEnvironmentStringsA, FreeEnvironmentStringsW, FreeLibrary, GenerateConsoleCtrlEvent, GetACP, GetActiveProcessorCount, GetActiveProcessorGroupCount, GetBinaryTypeW, GetCPInfo, GetCommandLineW, GetConsoleCP, GetConsoleMode, GetConsoleOutputCP, GetConsoleScreenBufferInfo, GetConsoleScreenBufferInfoEx, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceW, GetEnvironmentStrings, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetExitCodeThread, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFileTime, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLocalTime, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNumaHighestNodeNumber, GetNumaNodeProcessorMask, GetNumberOfConsoleInputEvents, GetOEMCP, GetOverlappedResult, GetProcAddress, GetProcessAffinityMask, GetProcessId, GetProcessTimes, GetQueuedCompletionStatusEx, GetShortPathNameW, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempFileNameW, GetTempPathW, GetThreadTimes, GetTickCount, GetTickCount64, GetTimeFormatEx, GetTimeFormatW, GetTimeZoneInformation, GetWindowsDirectoryW, GlobalMemoryStatusEx, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, K32EnumProcessModules, K32GetModuleFileNameExW, K32GetModuleInformation, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFileTimeToFileTime, LocalFree, LockFileEx, Module32FirstW, Module32NextW, MoveFileExW, MoveFileW, MultiByteToWideChar, OpenProcess, OpenThread, OutputDebugStringA, PeekConsoleInputA, PeekNamedPipe, PostQueuedCompletionStatus, Process32FirstW, Process32NextW, QueryInformationJobObject, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleInputA, ReadConsoleInputW, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RemoveDirectoryW, RemoveDllDirectory, RemoveVectoredContinueHandler, ResetEvent, ResumeThread, RtlAddFunctionTable, RtlDeleteFunctionTable, SearchPathW, SetConsoleCP, SetConsoleCtrlHandler, SetConsoleCursorPosition, SetConsoleMode, SetConsoleOutputCP, SetConsoleScreenBufferSize, SetCurrentDirectoryW, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileApisToANSI, SetFileApisToOEM, SetFileAttributesW, SetFileCompletionNotificationModes, SetFilePointerEx, SetFileTime, SetHandleCount, SetHandleInformation, SetInformationJobObject, SetLastError, SetLocalTime, SetNamedPipeHandleState, SetSystemTime, SetSystemTimeAdjustment, SetThreadAffinityMask, SetThreadGroupAffinity, SetUnhandledExceptionFilter, SetVolumeLabelW, Sleep, SleepConditionVariableSRW, SwitchToThread, SystemTimeToFileTime, TerminateJobObject, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualAllocExNuma, VirtualFree, VirtualProtect, VirtualQuery, WaitForSingleObject, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
USER32.dllClipCursor, ExitWindowsEx, GetClipCursor, GetCursorPos, GetLastInputInfo, KillTimer, LoadAcceleratorsW, LoadCursorW, LoadIconW, MessageBeep, MessageBoxA, MessageBoxW, SetCursorPos, SetTimer
api-ms-win-crt-heap-l1-1-0.dll_aligned_free, _aligned_malloc, _set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-private-l1-1-0.dllmemchr, memcmp, memcpy, memmove, strrchr, strstr
api-ms-win-crt-runtime-l1-1-0.dll__p___argc, __p___argv, __p___wargv, __p__acmdln, _assert, _beginthreadex, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _fpreset, _getpid, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, _wassert, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, __stdio_common_vswprintf, __stdio_common_vswprintf_s, _chsize_s, _close, _creat, _dup, _dup2, _fileno, _get_osfhandle, _isatty, _lseeki64, _open_osfhandle, _pipe, _read, _setmode, _wfdopen, _write, fclose, feof, fflush, fputc, fputwc, fread, fseek, ftell, fwrite, getc, puts, ungetc
api-ms-win-crt-string-l1-1-0.dll_strdup, _wcsdup, isspace, isxdigit, mbrlen, memset, strcmp, strcpy, strlen, strncmp, strncpy, strtok, tolower, wcscat, wcscmp, wcscpy, wcslen, wcsncmp
SHELL32.dllCommandLineToArgvW, SHGetFolderPathW
api-ms-win-crt-environment-l1-1-0.dll__p__environ, __p__wenviron, getenv
api-ms-win-crt-convert-l1-1-0.dllatof, atoi, mbrtowc, mbstowcs, strtol, strtoll, strtoul, strtoull, wcrtomb
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale, localeconv, setlocale
api-ms-win-crt-math-l1-1-0.dll__setusermatherr, acos, acosh, acoshf, asin, asinh, asinhf, atan, atanh, atanhf, cosh, exp2, expm1, expm1f, log1p, log1pf, log2, sinh, tan, tanh, tanhf
api-ms-win-crt-time-l1-1-0.dll__daylight, __timezone, __tzname, _ctime64, _time64, _tzset, _utime64, clock
ADVAPI32.dllGetUserNameW
ole32.dllCoCreateGuid
RPCRT4.dllRpcStringFreeW, UuidToStringW
WS2_32.dllWSACreateEvent, WSAEventSelect, closesocket, recv, select, send
WINMM.dlltimeGetTime
ntdll.dllNtQueryObject
api-ms-win-crt-filesystem-l1-1-0.dll_access, _chmod, _fstat64, _lock_file, _mkdir, _umask, _unlink, _unlock_file, _wsplitpath_s, _wstat64
GDI32.dllDeleteObject, Polygon
api-ms-win-crt-utility-l1-1-0.dllqsort
dbghelp.dllMiniDumpWriteDump, StackWalk64, SymFromAddr, SymFunctionTableAccess64, SymGetLineFromAddr64, SymGetModuleBase64, SymInitialize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
May 27, 2024 14:53:35.777225018 CEST5349974162.159.36.2192.168.2.6
May 27, 2024 14:53:36.304439068 CEST5911953192.168.2.61.1.1.1
May 27, 2024 14:53:36.312377930 CEST53591191.1.1.1192.168.2.6
May 27, 2024 14:53:38.439692020 CEST5022253192.168.2.61.1.1.1
May 27, 2024 14:53:38.456743002 CEST53502221.1.1.1192.168.2.6

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
May 27, 2024 14:53:36.304439068 CEST192.168.2.61.1.1.10x114cStandard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
May 27, 2024 14:53:38.439692020 CEST192.168.2.61.1.1.10x4ed1Standard query (0)26.165.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
May 27, 2024 14:53:36.312377930 CEST1.1.1.1192.168.2.60x114cName error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
May 27, 2024 14:53:38.456743002 CEST1.1.1.1192.168.2.60x4ed1Name error (3)26.165.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:08:53:04
Start date:27/05/2024
Path:C:\Users\user\Desktop\bfaQ3h8zEO.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\bfaQ3h8zEO.exe"
Imagebase:0x7ff615540000
File size:39'188'480 bytes
MD5 hash:7E0F3C8D1EC18211D01FB37CAA442947
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:08:53:06
Start date:27/05/2024
Path:C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"
Imagebase:0x7ff6a75d0000
File size:44'055'040 bytes
MD5 hash:EE5C924CD710BEBD6B3F2CA38F3450C9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:08:53:27
Start date:27/05/2024
Path:C:\Windows\System32\winsvc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\winsvc.exe" "C:\Users\user\AppData\Local\Temp\bfaQ3h8zEO-89f31222ee311648\bfaQ3h8zEO.exe"
Imagebase:0x7ff762e20000
File size:44'055'040 bytes
MD5 hash:EE5C924CD710BEBD6B3F2CA38F3450C9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:6
Start time:08:53:48
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:08:53:48
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:08:53:48
Start date:27/05/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:0x7ff7403e0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:9
Start time:08:53:49
Start date:27/05/2024
Path:C:\Windows\System32\sc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
Imagebase:0x7ff6e2bf0000
File size:72'192 bytes
MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:10
Start time:08:53:49
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:08:53:50
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:08:53:50
Start date:27/05/2024
Path:C:\Windows\System32\sc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
Imagebase:0x7ff6e2bf0000
File size:72'192 bytes
MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:13
Start time:08:53:51
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:08:53:51
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:08:53:51
Start date:27/05/2024
Path:C:\Windows\System32\sc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
Imagebase:0x7ff6e2bf0000
File size:72'192 bytes
MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:16
Start time:08:53:52
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:17
Start time:08:53:52
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:18
Start time:08:53:52
Start date:27/05/2024
Path:C:\Windows\System32\sc.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\sc.exe" start winsvc
Imagebase:0x7ff7934f0000
File size:72'192 bytes
MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:08:53:53
Start date:27/05/2024
Path:C:\Windows\System32\winsvc.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\winsvc.exe
Imagebase:0x7ff762e20000
File size:44'055'040 bytes
MD5 hash:EE5C924CD710BEBD6B3F2CA38F3450C9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:20
Start time:08:54:13
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:08:54:13
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:08:54:24
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:08:54:24
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:08:54:42
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:08:54:42
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:08:54:42
Start date:27/05/2024
Path:C:\Windows\System32\powercfg.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Imagebase:0x7ff6dc4f0000
File size:96'256 bytes
MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:08:54:49
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:08:54:49
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:08:54:49
Start date:27/05/2024
Path:C:\Windows\System32\powercfg.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
Imagebase:0x7ff6dc4f0000
File size:96'256 bytes
MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:08:54:54
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:08:54:54
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:08:54:54
Start date:27/05/2024
Path:C:\Windows\System32\powercfg.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
Imagebase:0x7ff6dc4f0000
File size:96'256 bytes
MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:08:54:59
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:08:54:59
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:08:54:59
Start date:27/05/2024
Path:C:\Windows\System32\powercfg.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
Imagebase:0x7ff6dc4f0000
File size:96'256 bytes
MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:08:55:03
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:08:55:03
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:08:55:03
Start date:27/05/2024
Path:C:\Windows\System32\powercfg.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
Imagebase:0x7ff6dc4f0000
File size:96'256 bytes
MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:40
Start time:08:55:03
Start date:27/05/2024
Path:C:\Windows\System32\taskkill.exe
Wow64 process (32bit):false
Commandline:"taskkill.exe" "/F" "/IM" "winnet.exe"
Imagebase:0x7ff68fd50000
File size:101'376 bytes
MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:41
Start time:08:55:03
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:43
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\taskkill.exe
Wow64 process (32bit):false
Commandline:"taskkill.exe" "/F" "/IM" "winnet.exe"
Imagebase:0x7ff68fd50000
File size:101'376 bytes
MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:44
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:45
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\taskkill.exe
Wow64 process (32bit):false
Commandline:"taskkill.exe" "/F" "/IM" "wincfg.exe"
Imagebase:0x7ff68fd50000
File size:101'376 bytes
MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:46
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:47
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\taskkill.exe
Wow64 process (32bit):false
Commandline:"taskkill.exe" "/F" "/IM" "wincfg.exe"
Imagebase:0x7ff68fd50000
File size:101'376 bytes
MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:48
Start time:08:55:04
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:49
Start time:08:55:05
Start date:27/05/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
Imagebase:0x7ff6e3d50000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:50
Start time:08:55:05
Start date:27/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

Disassembly

Reset < >

    Non-executed Functions

    Function 0000029C173FAB8C Relevance: .0, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000003.2183348013.0000029C173F5000.00000004.00000020.00020000.00000000.sdmp, Offset: 0000029C173F5000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_3_29c173f5000_bfaQ3h8zEO.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5591d06c41ba6101902ed943a43384f6ab445919c6fb82c6351feecf4d1b5627
    • Instruction ID: 6270484da9f2699b24888108678732436d9107ea3858c24695a88a7a2abab3c0
    • Opcode Fuzzy Hash: 5591d06c41ba6101902ed943a43384f6ab445919c6fb82c6351feecf4d1b5627
    • Instruction Fuzzy Hash: A6012D9654F7C11FC7234BB41CB64A47FB25E2B05174E85DBC0C4CFAA3D00829AAD322

    Executed Functions

    Function 00007FFD344C33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000006.00000002.2564823648.00007FFD344C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_7ffd344c0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
    • Instruction ID: d25a6ad8755f058826f125c719e0b32363bcf7d41b8f755cf4fc78d89af0b20f
    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
    • Instruction Fuzzy Hash: 2901A73020CB0C4FD744EF0CE091AA5B3E0FB85324F10052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344B33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 0000000A.00000002.2576444536.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_7ffd344b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
    • Instruction ID: 1699bbb57386d1985944c9a7e1a32b731d80d733cc1faa7b0f8f8d1503d5ec0a
    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
    • Instruction Fuzzy Hash: 5C01A73020CB0C4FD744EF0CE051AA6B3E0FB85324F50052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344D33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 0000000D.00000002.2590104346.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction ID: f7f444066b098512b727a9001cb1ad15401c1905bfe25d9c57a8f0291b04063f
    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction Fuzzy Hash: AC01A73020CB0C4FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344D33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000010.00000002.2816412420.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction ID: f7f444066b098512b727a9001cb1ad15401c1905bfe25d9c57a8f0291b04063f
    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction Fuzzy Hash: AC01A73020CB0C4FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344EA3B8 Relevance: .2, Instructions: 238COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5173fc38bd7d50ae0cff2dc7bc26d3c7f2fa858c975ff06d0c9dddc9a38716c3
    • Instruction ID: cd8a548416dfff7bedb6234cdebc9acd3ffe5c394af86985b6346dd9d7d7d8e8
    • Opcode Fuzzy Hash: 5173fc38bd7d50ae0cff2dc7bc26d3c7f2fa858c975ff06d0c9dddc9a38716c3
    • Instruction Fuzzy Hash: D571E863A0D6821FF712576C58FB2F73BA0DF13228B0D01F6C2D89A097ED4D2456A756
    Function 00007FFD345B41B3 Relevance: .2, Instructions: 182COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2902040433.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd345b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b8d894d2c4d3565414472729a1802ae98a450a197cc7bfd0d017c97a6989e7f7
    • Instruction ID: e387117a371cef6e5c864d172b0d9c1dbce2569d272008e5e49c9c69a2be6295
    • Opcode Fuzzy Hash: b8d894d2c4d3565414472729a1802ae98a450a197cc7bfd0d017c97a6989e7f7
    • Instruction Fuzzy Hash: 8451D822F0DA464FEBA6DA1C54A1278B7D2EF97322F5801BBC25DC7193DD19EC059341
    Function 00007FFD344E95C5 Relevance: .2, Instructions: 170COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bca395e7eee0c06b05d3363771d28fdd8f578e9b998edb8405fe67338ed4c8cf
    • Instruction ID: fbfad452a5c3f9cea90e9ea87198a74554074737766f1ab34776507dbb611478
    • Opcode Fuzzy Hash: bca395e7eee0c06b05d3363771d28fdd8f578e9b998edb8405fe67338ed4c8cf
    • Instruction Fuzzy Hash: 4A51273190CB884FE719DB6C98566E97FE0EF56320F0441AFD48DC3293DA68A855CB82
    Function 00007FFD343CEB80 Relevance: .1, Instructions: 128COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2900066618.00007FFD343CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd343cd000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 24eb728ba2c0ac7ac1c203d73f6247d2e2bfcecc513698b12b19362e393b05e8
    • Instruction ID: 4ba94c41d9094327ffd382938259fc6e6a4d1d7539a0f6528f0d15c159f19bce
    • Opcode Fuzzy Hash: 24eb728ba2c0ac7ac1c203d73f6247d2e2bfcecc513698b12b19362e393b05e8
    • Instruction Fuzzy Hash: 6941583140EBC44FE7569B2898929623FF0EF53320B1901EFD089CB1A3D629EC46C792
    Function 00007FFD344EA2EC Relevance: .1, Instructions: 99COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7438dbd690ab27155be857a8e604783bba0c0b1f584f652ab69e7702b055b5a6
    • Instruction ID: e6d78386c32c1b3bce1b42a315887f9af56c64613382d5f6401e794c784bcf43
    • Opcode Fuzzy Hash: 7438dbd690ab27155be857a8e604783bba0c0b1f584f652ab69e7702b055b5a6
    • Instruction Fuzzy Hash: AE21283090C64C4FEB19DFAC984A7EA7FE0EB56321F04416BD048D3156DA74A45ACB91
    Function 00007FFD345B41FF Relevance: .1, Instructions: 95COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2902040433.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd345b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 027b16965580bc88d0d3d1b32901114cb9f6cc99baceb76e28e5d814ab0fe3fd
    • Instruction ID: 63b502b271d63c271863cbbf2ac4f00b6d3ae167d79df013cf3cb38d20d5be38
    • Opcode Fuzzy Hash: 027b16965580bc88d0d3d1b32901114cb9f6cc99baceb76e28e5d814ab0fe3fd
    • Instruction Fuzzy Hash: F421F222F1DA470FEBB6DA0C44E1178A6D2EF83312F4901BAD25EC71A2CD6CEC04A301
    Function 00007FFD344E33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
    • Instruction ID: a49f6477fb0ba9aeedfdd0ab496a5c13c44e83bc60d9418eea69618d10ef7291
    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
    • Instruction Fuzzy Hash: 9601A73020CB0C4FD744EF0CE051AA6B3E0FB85324F10056DE58AC3661DB36E882CB45
    Function 00007FFD344E9F48 Relevance: .0, Instructions: 38COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e3dd3259318f855ddb953ea4b7828803578c1fc9a54efe543e8c88ecfceea0f7
    • Instruction ID: 905e9115702666c07bfc28d615736190613a1cf92c32a6462e5db257087019a1
    • Opcode Fuzzy Hash: e3dd3259318f855ddb953ea4b7828803578c1fc9a54efe543e8c88ecfceea0f7
    • Instruction Fuzzy Hash: 7EF0BB318086894FDB46DF2888555D57FA0EF17351F050297D45CC70A2DB659998CBC2
    Function 00007FFD345B4540 Relevance: .0, Instructions: 35COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2902040433.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd345b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e36614c18f1a02f13f618e878e36670675e11e81f1827a1bcb56995629d2da6c
    • Instruction ID: 8ba3e387de1947334a96e0f9b41c2adf5ba8cf25a1ab8e6313775d53187a9120
    • Opcode Fuzzy Hash: e36614c18f1a02f13f618e878e36670675e11e81f1827a1bcb56995629d2da6c
    • Instruction Fuzzy Hash: 75F05E32A0C9498FDBA5EA5CE4914E877E0FF0632171500B6E15DDB4A7CA2AEC40C741
    Function 00007FFD345B69A1 Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2902040433.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd345b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9294a29a27d4c5243244b328dd8b9ec05235e4b2cc92332980fc53c83367fafa
    • Instruction ID: 0705e474804d7a37d8ec46c704c348391de5ae61406cd0c2e6a2aa1d53f4b84e
    • Opcode Fuzzy Hash: 9294a29a27d4c5243244b328dd8b9ec05235e4b2cc92332980fc53c83367fafa
    • Instruction Fuzzy Hash: 1EE06532B0E6484FEB55EAA854551D8BBE0EB59220F14017FE14DD2143D92558518351

    Non-executed Functions

    Function 00007FFD344E5B77 Relevance: 3.2, Strings: 2, Instructions: 709COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID: 4$L_^
    • API String ID: 0-230323832
    • Opcode ID: 16adaa143aedee6512683eaf62c507e961e725675b7bc2464497f919bd1abcc8
    • Instruction ID: ca80b8b49ab7ae578fc62d60bade945cde941aef213bfc8333d474f18fb372c4
    • Opcode Fuzzy Hash: 16adaa143aedee6512683eaf62c507e961e725675b7bc2464497f919bd1abcc8
    • Instruction Fuzzy Hash: C8222857B0D7C21FE352A7AC68B61EA3FD0DF53225B0D01BBC6C8CA093D91DA4469392
    Function 00007FFD344E579D Relevance: .2, Instructions: 174COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000014.00000002.2901017782.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_7ffd344e0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d20eedbdeb89cd7a4e9bde8baa711617b56b6e31d3d2a1cceb09b7e4f7be74a2
    • Instruction ID: 8159658d9b841772e3f53b819607aaafe3c633c912ad72faf5f6ba7fc81da8b5
    • Opcode Fuzzy Hash: d20eedbdeb89cd7a4e9bde8baa711617b56b6e31d3d2a1cceb09b7e4f7be74a2
    • Instruction Fuzzy Hash: C551FC22B0CAC61FE791977C98B51E63BE1EF5722470E05B3C5C9C71A3DE2898478741

    Executed Functions

    Function 00007FFD344D95C5 Relevance: .1, Instructions: 142COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a4143ea8f3248e42e8797fc1680c4325ae8b6438cba9cd1f720bb5c86687ceb1
    • Instruction ID: 6c21a8cbb43a2759afb1837fe271834551d9a01420a7106d9ec2c47f3d3e546c
    • Opcode Fuzzy Hash: a4143ea8f3248e42e8797fc1680c4325ae8b6438cba9cd1f720bb5c86687ceb1
    • Instruction Fuzzy Hash: E141367190DB884FDB189F5C9C566E87FE0FB56320F00426FE049D3292DB64A856CBC2
    Function 00007FFD343BEE20 Relevance: .1, Instructions: 128COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3075698763.00007FFD343BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343BD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd343bd000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2f5bf31eee3740b7d16434b6f04a40254debe81215c6eed81afd0fb55429ebc8
    • Instruction ID: 71c7bd75877466f30d6b7bd2b6d3b03e72e00ef76f15aa20734105bd69c1d06d
    • Opcode Fuzzy Hash: 2f5bf31eee3740b7d16434b6f04a40254debe81215c6eed81afd0fb55429ebc8
    • Instruction Fuzzy Hash: 4B41E77140EBC44FD7569B3998556523FF0EF53320B1505DFD088CB1A3D629A845C792
    Function 00007FFD344D3428 Relevance: .1, Instructions: 102COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b4a0a05a7aa1b74d82de622389630567ade33e9bb46ce978df244fe647f13023
    • Instruction ID: 12e331146aff54158517e2625158fbbae7d1f6d9cca4a3c75f5d2203085bcd08
    • Opcode Fuzzy Hash: b4a0a05a7aa1b74d82de622389630567ade33e9bb46ce978df244fe647f13023
    • Instruction Fuzzy Hash: 6631B362A0D7C24FE7578768A8A21E57FA0DF53234B0A41FBC1C5CA093E9592847C762
    Function 00007FFD344DA2EC Relevance: .1, Instructions: 100COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 62c1120518c58b1dd8c3b59588b6e55461dfecf950345eb2f1adc5396b2ea636
    • Instruction ID: 7ab8a02335965cd04d8c600e8344d48695ed3cfc38096792646c2bab374b38c6
    • Opcode Fuzzy Hash: 62c1120518c58b1dd8c3b59588b6e55461dfecf950345eb2f1adc5396b2ea636
    • Instruction Fuzzy Hash: 02213730A0CB4C4FDB69DB6C884A6E97BE0EB97331F04426FD159C3193CA655457C792
    Function 00007FFD344DA3B8 Relevance: .1, Instructions: 57COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 98856200363b998d4a8f9e1e197c4cdc5fcfed7d4a945a597a783db98dff1133
    • Instruction ID: 4bf3f7e1d025cdc91e039449a783786b0609539eae0a2c52433da084264d7944
    • Opcode Fuzzy Hash: 98856200363b998d4a8f9e1e197c4cdc5fcfed7d4a945a597a783db98dff1133
    • Instruction Fuzzy Hash: 2E112121A0D3C04FE7079B7868A22E43FA0DF03230F0901EBC195CB093D95D241A97A6
    Function 00007FFD344D33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a22cb2f29d8ee415507651570a80017436a6c1b8e37cd067a14078b8b165b810
    • Instruction ID: f7f444066b098512b727a9001cb1ad15401c1905bfe25d9c57a8f0291b04063f
    • Opcode Fuzzy Hash: a22cb2f29d8ee415507651570a80017436a6c1b8e37cd067a14078b8b165b810
    • Instruction Fuzzy Hash: AC01A73020CB0C4FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DB36E882CB45
    Function 00007FFD344D9F48 Relevance: .0, Instructions: 38COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3078444366.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9842ec607b595d89f72ae8edf796fd84fc1634b1aba8a80782f5e866c3f74bcb
    • Instruction ID: 639dfbe3da41f4a5e5168236cf88a519738efc5b9adb824cb9832e9a9e9eecfd
    • Opcode Fuzzy Hash: 9842ec607b595d89f72ae8edf796fd84fc1634b1aba8a80782f5e866c3f74bcb
    • Instruction Fuzzy Hash: 8DF0B4318096898FDB4ADF2888695D57FA0EF27311F0502ABE45CC71A2DB659858CB82
    Function 00007FFD345A428D Relevance: .0, Instructions: 37COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3080384940.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd345a0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c4717037d610468c6bd72fcf0c1db7932d4ef4b3b9884f8e9d67e2e7fbf637de
    • Instruction ID: c16ac9d31e5ccbb4c2d46d8de4d9a46dcefb205e434d418e42424d8966a0d28a
    • Opcode Fuzzy Hash: c4717037d610468c6bd72fcf0c1db7932d4ef4b3b9884f8e9d67e2e7fbf637de
    • Instruction Fuzzy Hash: 73F0B432B0D5048FD6A6EA4CE45149873E0EF46325B1001B6E15DC70A3CE3AEC45C740
    Function 00007FFD345A4540 Relevance: .0, Instructions: 35COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3080384940.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd345a0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1b9b7f0b8774777b159022551ec2de0983da91d1bec1cc0afae902e7c92f5c61
    • Instruction ID: 3a41b9bc051dfa5bfb0f02f7d5ff0411fc322f2130a8bcfa7184be0989270de9
    • Opcode Fuzzy Hash: 1b9b7f0b8774777b159022551ec2de0983da91d1bec1cc0afae902e7c92f5c61
    • Instruction Fuzzy Hash: 22F05E32A0D5448FD796EA9CE4914A877E0FF0A32171500B6E25DCB4A3CA2AEC45C740
    Function 00007FFD345A69A1 Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000017.00000002.3080384940.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_7ffd345a0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0ab0d84d293db421e9623d12c17908ef56737f72a8aa8c4d227f66a0ac7814a4
    • Instruction ID: d3b4615f0ac08e52608e1de61994c5f7306b07f705c40fd31cb0d2d483824f22
    • Opcode Fuzzy Hash: 0ab0d84d293db421e9623d12c17908ef56737f72a8aa8c4d227f66a0ac7814a4
    • Instruction Fuzzy Hash: 47E06532B0E6484FEB55EAA864551D8BBE0EB59220F14017FE14DD2183D92558518351

    Executed Functions

    Function 00007FFD344F33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000019.00000002.3153498237.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_7ffd344f0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
    • Instruction ID: 0de13188b85efd06ce59d91a08dcc605c1005305ddc09ab0e6011ec9a97d7cb4
    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
    • Instruction Fuzzy Hash: 3D01A73120CB0C4FD744EF0CE051AA5B3E0FB85364F10052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344D33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 0000001C.00000002.3203040429.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_7ffd344d0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction ID: f7f444066b098512b727a9001cb1ad15401c1905bfe25d9c57a8f0291b04063f
    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
    • Instruction Fuzzy Hash: AC01A73020CB0C4FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DB36E882CB45

    Executed Functions

    Function 00007FFD344B33B5 Relevance: .0, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 0000001F.00000002.3254394485.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_7ffd344b0000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
    • Instruction ID: 1699bbb57386d1985944c9a7e1a32b731d80d733cc1faa7b0f8f8d1503d5ec0a
    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
    • Instruction Fuzzy Hash: 5C01A73020CB0C4FD744EF0CE051AA6B3E0FB85324F50052DE58AC3661DB36E882CB45