Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LADMAutoInstallService.exe.7z

Overview

General Information

Sample name:LADMAutoInstallService.exe.7z
Analysis ID:1559383
MD5:cf40750e9e9f7a435b259d0c7ea0924b
SHA1:c12300d8ba4bf0f5a294e104dc5089f2cbf1cff2
SHA256:5cd2a5951bfc4079cfe21f7fcda184fdf95e9b5f5c155c1a57af551536922966
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Loading BitLocker PowerShell Module
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64_ra
  • OpenWith.exe (PID: 6496 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 6668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6800 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6712 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6872 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 6988 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5488 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • 7zG.exe (PID: 2792 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\LADMAutoInstallService.exe\" -spe -an -ai#7zMap26345:106:7zEvent23239 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • rundll32.exe (PID: 6292 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • LADMAutoInstallService.exe (PID: 6228 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6376 cmdline: "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\user\Desktop\LADMAutoInstallService.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LADMAutoInstallService.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 2016 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install MD5: 133B9599A57A684D6E301C63C8726CEF)
  • powershell.exe (PID: 2420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LADMAutoInstallService.exe (PID: 3488 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install MD5: 133B9599A57A684D6E301C63C8726CEF)
  • LADMAutoInstallService.exe (PID: 4060 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • UDCC Launcher.exe (PID: 1832 cmdline: "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe" MD5: EF8133C607A3A4DA67DC606B9396088A)
  • mmc.exe (PID: 5756 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)
  • mmc.exe (PID: 4176 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)
  • cleanup
No yara matches
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\user\Desktop\LADMAutoInstallService.exe', CommandLine: "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\user\Desktop\LADMAutoInstallService.exe', CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\user\Desktop\LADMAutoInstallService.exe', ProcessId: 6376, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6668, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: download.lenovo.com
Source: C:\Windows\System32\mmc.exeWindow created: window name: CLIPBRDWNDCLASS
Source: classification engineClassification label: mal48.evad.win7Z@30/18@2/3
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\LADMAutoInstallService.exe
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeMutant created: \Sessions\1\BaseNamedObjects\UDCCLauncher
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeptjjcr.rsg.ps1
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\LADMAutoInstallService.exe\" -spe -an -ai#7zMap26345:106:7zEvent23239
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\user\Desktop\LADMAutoInstallService.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: unknownProcess created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe"
Source: unknownProcess created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe"
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mswsock.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winnsi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: schannel.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winsta.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: uilib_d_x64.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: winmm.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: d3d9.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: msimg32.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: textinputframework.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: coremessaging.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ntmarta.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: webio.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: winnsi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: rasadhlp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: schannel.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ntasn1.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ncrypt.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\mmc.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exeSection loaded: acgenral.dll
Source: C:\Windows\System32\mmc.exeSection loaded: userenv.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mpr.dll
Source: C:\Windows\System32\mmc.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exeSection loaded: duser.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exeSection loaded: ninput.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dui70.dll
Source: C:\Windows\System32\mmc.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wldp.dll
Source: C:\Windows\System32\mmc.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\mmc.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\mmc.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\mmc.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\mmc.exeSection loaded: netutils.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mmcndmgr.dll
Source: C:\Windows\System32\mmc.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\mmc.exeSection loaded: profapi.dll
Source: C:\Windows\System32\mmc.exeSection loaded: filemgmt.dll
Source: C:\Windows\System32\mmc.exeSection loaded: atl.dll
Source: C:\Windows\System32\mmc.exeSection loaded: version.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\mmc.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\mmc.exeSection loaded: propsys.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mlang.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dataexchange.dll
Source: C:\Windows\System32\mmc.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mmc.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\mmc.exeSection loaded: atlthunk.dll
Source: C:\Windows\System32\mmc.exeSection loaded: ieframe.dll
Source: C:\Windows\System32\mmc.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\mmc.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\mmc.exeSection loaded: sxs.dll
Source: C:\Windows\System32\mmc.exeSection loaded: msiso.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mshtml.dll
Source: C:\Windows\System32\mmc.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\mmc.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wininet.dll
Source: C:\Windows\System32\mmc.exeSection loaded: srpapi.dll
Source: C:\Windows\System32\mmc.exeSection loaded: edputil.dll
Source: C:\Windows\System32\mmc.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\mmc.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\mmc.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\mmc.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exeSection loaded: msimtf.dll
Source: C:\Windows\System32\mmc.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mmc.exeSection loaded: secur32.dll
Source: C:\Windows\System32\mmc.exeSection loaded: jscript9.dll
Source: C:\Windows\System32\mmc.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\System32\mmc.exeSection loaded: winmm.dll
Source: C:\Windows\System32\mmc.exeSection loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\mmc.exeSection loaded: jscript.dll
Source: C:\Windows\System32\mmc.exeSection loaded: msls31.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: dpapi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mmc.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mmc.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\mmc.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\mmc.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile written: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\config.ini
Source: C:\Windows\System32\mmc.exeWindow found: window name: msctls_updown32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeFile created: C:\LADM\lenovo_accessories_and_display_manager_v1_0_3_24_setup.exeJump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeJump to dropped file
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UiLib_d_x64.dllJump to dropped file
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exeMemory allocated: 5310000 memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exeMemory allocated: 61E0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exeMemory allocated: 62A0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exeMemory allocated: 62F0000 memory reserve | memory write watch
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9035
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 867
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1686
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8050
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeDropped PE file which has not been started: C:\LADM\lenovo_accessories_and_display_manager_v1_0_3_24_setup.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2528Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe TID: 6536Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
11
Process Injection
2
Masquerading
OS Credential Dumping3
Security Software Discovery
Remote Services1
Clipboard Data
1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)51
Virtualization/Sandbox Evasion
Security Account Manager51
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA Secrets3
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials23
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-t-9999.t-msedge.net
13.107.246.254
truefalse
    unknown
    arm-9999.arm-msedge.net
    4.150.240.254
    truefalse
      unknown
      download.lenovo.com
      unknown
      unknownfalse
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        23.212.88.224
        unknownUnited States
        16625AKAMAI-ASUSfalse
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1559383
        Start date and time:2024-11-20 13:17:51 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:32
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:1
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:LADMAutoInstallService.exe.7z
        Detection:MAL
        Classification:mal48.evad.win7Z@30/18@2/3
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 13.95.31.18
        • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtEnumerateValueKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: LADMAutoInstallService.exe.7z
        Process:C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:modified
        Size (bytes):24539136
        Entropy (8bit):7.99210958084728
        Encrypted:true
        SSDEEP:
        MD5:5EF38158FBF927514511AF055A3D8EEA
        SHA1:1139B0823294527FB3B9E6B55167C828ECC6FAED
        SHA-256:B37E2974B4831BFFB9C1E0EF4A640C46844A88845F05E56D6BC1C31BCE359CCD
        SHA-512:24095DFF47C9FB0061C5E26E50E1EF8036BE11A43BFD8235018E52C4F867B04A33DF67DDEE1C3DBCAB2F0F6C7FD3953F1C70D581ED4B3E6D192B9842EB936B8E
        Malicious:false
        Reputation:unknown
        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...WK.b.................p...........~............@..........................P......-.....@......@...................`.......@.......................=.. )...........................................................A.. ....P.......................text....V.......X.................. ..`.itext..l....p.......\.............. ..`.data....5.......6...t..............@....bss.....g...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc...............................@..@....................................@..@........................................................
        Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
        File Type:PE32+ executable (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):1058592
        Entropy (8bit):7.129412434024571
        Encrypted:false
        SSDEEP:
        MD5:EF8133C607A3A4DA67DC606B9396088A
        SHA1:E9AB35E215AA38BCB498E7309E457A8431382EC7
        SHA-256:2F7F35FB28B409FB33DD152B4FAEF937E2247D50B448D4C55B7C0993929A6507
        SHA-512:F4913DDD01E0D63A456D3297CF14AC4E154CE1D19C44684656CD4B0C3DF4C96F420F108C6094A2EEAF0026A7F519CB2E55E1EE2FD2754D46991042D0A4CA973D
        Malicious:false
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x.....Jx......x......x..=....x..=....x.......x..=...x......x...x...y.......x....=..x.......x..Rich.x..........PE..d.....7g.........."....(.p...........7.........@.............................P......v.....`.................................................0................0...N...... )...@..t...0[..p....................]..(....Y..@............................................text....o.......p.................. ..`.rdata..Je.......f...t..............@..@.data....9..........................@....pdata...N...0...P..................@..@.fptable.............H..............@....rsrc................J..............@..@.reloc..t....@......................@..B........................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):2116384
        Entropy (8bit):6.541809348870811
        Encrypted:false
        SSDEEP:
        MD5:49BB90BE6748F44AA335CBE5FDC025D8
        SHA1:19719504BA0FE8A4FEC0EDF5C4E9E7D6F0519F0C
        SHA-256:856D463B3EDAF591CAF07C3EE9264C7E0126837D338F4563519B1057DEBE9E3D
        SHA-512:1E52AD1998D34C7AD4762BED2170A0C3A72C9801D4CDD978E7D6FF0271AE1123CF189AACDA3E7D717BD96612BB41F5DAD69603DDAF3D301143AB032BB67FD061
        Malicious:false
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{+./?J.|?J.|?J.|t2.}*J.|t2.}.J.|.6.}/J.|.6.}5J.|t2.}>J.|.6.}oJ.|t2.}.J.|t2.}*J.|?J.|yK.|.7.}.J.|.7.}>J.|.7.|>J.|.7.}>J.|Rich?J.|................PE..d.....Me.........." ...#...................................................... .....r. ...`.............................................t[...Z.......p ...... ...4..." . ).... ..D..`...p.......................(... ...@............................................text.............................. ..`.rdata..............................@..@.data............:...f..............@....pdata...4... ...6..................@..@_RDATA..\....` .....................@..@.rsrc........p .....................@..@.reloc...D.... ..F..................@..B........................................................................................................................................................................................
        Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):35
        Entropy (8bit):4.128724445269141
        Encrypted:false
        SSDEEP:
        MD5:C1471EAE6B46AD8C0BD5CC9C33133B4A
        SHA1:66B1FB224C8A3936BFE792EA97DE3568E0E74FDB
        SHA-256:693BD4C0B71347FD3806512824C54040D42E464B30137B0D23383E6AEAE8477E
        SHA-512:B02A6076695E3B3F9D115FAA7023B745B61031DDF19A0F7D0F963F35A6664EE31C90C64360A21459AC7FDE7D9B41378785A7C645646579CC5048698900A8E090
        Malicious:false
        Reputation:unknown
        Preview:[Settings]..prompt=false..times=0..
        Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
        File Type:ASCII text, with CR line terminators
        Category:dropped
        Size (bytes):9
        Entropy (8bit):2.4193819456463714
        Encrypted:false
        SSDEEP:
        MD5:3E0D4685A4853B77511FB4422E972579
        SHA1:21C04CA821D7A123B87A9A92331A70BB2FCEF443
        SHA-256:FE24D3350D22E5CEA07D80E6386BFF2CEEA3C1977FD4C2C7D4938E66095F9181
        SHA-512:680E56FC770201C200C4D6A12BD9DEDF1ECD849D13613903877EB33A7735840D8286A2DAF864E9813CCA4687E7384621A21CB106204A2E290CE02A4965537FC4
        Malicious:false
        Reputation:unknown
        Preview: 1.0.1.4.
        Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
        File Type:Zip archive data, at least v1.0 to extract, compression method=store
        Category:dropped
        Size (bytes):1506050
        Entropy (8bit):7.997012997865229
        Encrypted:true
        SSDEEP:
        MD5:EBD4968898A1B63F53B6919F5216914E
        SHA1:4E2D1AF438A172999706C43EEA57601178781D61
        SHA-256:9113C7D3038318FA243DA865283D724290E1A406AAF0B5D147504E877C7EDBD0
        SHA-512:5B88C9D14BF4F4582D1AE10A983108FD720822737FEF124DE0A2D4721DEC47A4050E2D91C1A95191C2A12AF81083AE30C682300B8E848835357B52F08735ED8E
        Malicious:false
        Reputation:unknown
        Preview:PK.........oY................UDCC Launcher/PK.........oY...s%...#.......UDCC Launcher/config.ini..N-)..K/...*(..-(.MK.)N..*..M-.5....PK........{.oY!s..... '......UDCC Launcher/UDCC Launcher.exe.;.pT....a.,. i......q5.......Wg.}.Wb.'.. ..6.h.%M(.\V.V..'}C..O..B@..E.......E..tA.P. .w..s.w.&..7.v&.{....w..}........B.q.l..6.>12..B..K..$...MhS..&T.,Z..].l......].tY2t....EKC.w........>.0G.u.KM}.o.........wv~...;....s.;O....O.............Kwf.G....B.;.....#Y.n..;...:B..tB..x(.\z.B.v.\F..FFH-..s.m...B...S.a.....o...2..&@.... ..ny$..J.~.+ ....6.....{.........A...Z...!...n.g..V..w(..)N..O..G...C ...."..x......@A...~'...vb..........5......^\..QF*+I.....Xqumr.K...U..{....[.b.<B....s.....X...K..#.K.)..|..p7......XDM...- .. }O.n..M......#..k.....k.........S....|.!.5.F..GlPF.E..S..sA..5.~.{.....z........4.....]....]..O.6.+}h...j......;........*'`..;.%..2...1._+._.../E......q>.l..WSE..y...v...^.'q5.yB..O.cw..!..W.D\].V.....z.....D{Wm...o'.{`..{.....5..kE.].$.
        Process:C:\Windows\System32\mmc.exe
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3413
        Entropy (8bit):5.084486589571248
        Encrypted:false
        SSDEEP:
        MD5:A726593A8261930E4786375106FC6BFE
        SHA1:13916B1E1825549E9C36C64E35BACA204A83EF95
        SHA-256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
        SHA-512:B093A2513B2C4F8544093D6E983EC580E14625E1529BC3DB22C4011980CDF44A78443C22289B11A6ED0AFAE2786D480F94B354B71496EE022E439D2BDEFBEDD2
        Malicious:false
        Reputation:unknown
        Preview:<html>.... <head>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. <style>.. body {margin: 0; font: icon; color: windowtext; background:window; overflow:none}.. span {font:icon;}.. #FolderIcon {height:expression(TaskpadName.clientHeight + 10); width:100%;}.. #TaskpadName {font: caption; color:captiontext; margin-left:0; margin-right:0; margin-top: 0; width:100%; border:0; padding-left:3; padding-top:5; padding-bottom:7;}.. #DisplayNameElem {font:icon; padding-left:5px; padding-top:5px; padding-bottom:3px; padding-right:5px}.. #Details {padding-left: 12px; margin-top: 8px; overflow:auto}.. #DescriptionElem {padding-left: 12px; margin-top: 8px; overflow-y:scroll; overflow:auto}.. A:visited {color:expression(document.linkColor);}.. A:hover {color:expression(document.linkColor);}.. </style>.... <script language="javascript">.. var L_strNoItemSelected_Text
        Process:C:\Windows\System32\mmc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1835
        Entropy (8bit):4.8246355222783786
        Encrypted:false
        SSDEEP:
        MD5:BEE1758A485085BB8A121EB74BA7E96F
        SHA1:8024492E1126B17F832E36C932D433200180B693
        SHA-256:EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E
        SHA-512:BB1FE94A523EF108C49F75DA187FCC28BBF80D72233454C329134BEE2E12268D3DA344A622987B081612AA2A1EDAC8B91EEF27619C7309517AC52E7AEBF32F1A
        Malicious:false
        Reputation:unknown
        Preview:..function OnLoad()..{.. ViewPanel.addBehavior("#default#mmcview");.. MMCEvents.ConnectTo(external.Document.Application);.. UpdateState();..}....// Prevent text from being selected and messing up the UI...function document.onselectstart()..{.. event.returnValue = false;..}....function UpdateState()..{.. var strDetails = "";.. var strDisplayName = "";.. var strDescription = "";.. var i;.. var curnode;.. var strNodeType;.... N = external.Selection;.... switch(N.count).. {.. case 0:.. DisplayNameElem.style.fontWeight="normal";.. strDetails = "";.. strDisplayName = L_strNoItemSelected_Text;.. break;.... case 1:.. DisplayNameElem.style.fontWeight="bold";.. strDetails = "";.. curNode = N(1);.... // got the selected node.. strNodeType = curNode.Nodetype;.. strDisplayName = external.CellContents(curNode, 1);.. strDescription = curNode.Property("CCF_DESCRIPTION");..
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:modified
        Size (bytes):61426
        Entropy (8bit):5.07948872134001
        Encrypted:false
        SSDEEP:
        MD5:6AAF3527C80775C9128AE5B7BC0ECB4F
        SHA1:7EEF74B516BD09A29E6AECA628B76863768EEDED
        SHA-256:80812FF347086EDF15401EA1B2AC96881633B4F0FC1D2C7D3B443821770562E3
        SHA-512:58D78A85601CB830F87A6B0496BD001FA469F4B66AFAC99543C1E2021E82A819DAEE482F8F296512788B857508008708DF49427123DB775D684AE1C2F1A0A1BB
        Malicious:false
        Reputation:unknown
        Preview:PSMODULECACHE.]...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:modified
        Size (bytes):20620
        Entropy (8bit):5.547452782207848
        Encrypted:false
        SSDEEP:
        MD5:94DFE7C98B304A66B115A732DC9D4E63
        SHA1:E78B024AE02ADEB6986B09D917DC605D50465B5F
        SHA-256:7D844A81D4280E4DD04AA41E8C6081C4FC1D7A0B3222888492CD9E1418C1DE7B
        SHA-512:76F66E9F04DF1CFB6F74F3FBF1CD00CB62E62906DF68536E16E1AE23958CE46FD929F41F100256AF28F5A8002C543C5BE8829CA548F259C1F9CC153E5C68E467
        Malicious:false
        Reputation:unknown
        Preview:@...e...............$...........................................H...............o..b~.D.poM...C..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....7.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.H..............@-....f.J.|.7h8..........Microsoft.Powershell.PSReadline.P................1]...E...........(.Microsoft.PowerShell.Commands.Ma
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Reputation:unknown
        Preview:# PowerShell test file to determine AppLocker lockdown mode
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):69
        Entropy (8bit):4.454336551163421
        Encrypted:false
        SSDEEP:
        MD5:42AC583DAB0755B25AD9C227B6C00B06
        SHA1:7F656CEC1BADAF7B3D93A98F9DFF3BB68FABABB0
        SHA-256:F6A7F8CC304A3D8DD0ADA1D39369539D4391DAACEF7EB53F26E587F115E049D0
        SHA-512:2431FC92E57A88663B02CE0635E0B8811E7B61888B632BDE97074B53626BBEDA110EB8DD1C4E0AC9977AE4C13614244FF682D829C6A25FCABACB36ABDAD0CEB8
        Malicious:false
        Reputation:unknown
        Preview:.\LADMAutoInstallService.exe...\LADMAutoInstallService.exe -install..
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:DA59EF25F5E63F74EA7A5641E76ACADC
        SHA1:F85CCEF53C46A724CD60BE2356E4A7CDEF4B8952
        SHA-256:06C49ECD5E1CE31D9930E2E82FED61AA0FD6428BE5507EAAB8EAA74230A35A07
        SHA-512:046516CED66FDD2B8BBEBA443F5271AD90EDF7C0F5D492CC793600F9DA943E8E298517B0E1B044D195CAE02F480FE2934A60D8AE8680D89E3F4AB42AB1BCBA66
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F.".. ......{4......lF;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....=qGF;..@{.mF;......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HtYBb..............................A.p.p.D.a.t.a...B.V.1.....tYIb..Roaming.@......FW.HtYIb..........................)...R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HtYBb..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....GX-w..Windows.@......FW.HtYBb...........................z..W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HtYBb....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HtYBb....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HGX.w..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HtYjb....Q...........
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:DA59EF25F5E63F74EA7A5641E76ACADC
        SHA1:F85CCEF53C46A724CD60BE2356E4A7CDEF4B8952
        SHA-256:06C49ECD5E1CE31D9930E2E82FED61AA0FD6428BE5507EAAB8EAA74230A35A07
        SHA-512:046516CED66FDD2B8BBEBA443F5271AD90EDF7C0F5D492CC793600F9DA943E8E298517B0E1B044D195CAE02F480FE2934A60D8AE8680D89E3F4AB42AB1BCBA66
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F.".. ......{4......lF;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....=qGF;..@{.mF;......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HtYBb..............................A.p.p.D.a.t.a...B.V.1.....tYIb..Roaming.@......FW.HtYIb..........................)...R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HtYBb..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....GX-w..Windows.@......FW.HtYBb...........................z..W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HtYBb....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HtYBb....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HGX.w..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HtYjb....Q...........
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):5440
        Entropy (8bit):3.9402834649877114
        Encrypted:false
        SSDEEP:
        MD5:473E434B562213D3250C17558F971A14
        SHA1:9F5D2E7ECADE20E1424682227EC8D368EA64B268
        SHA-256:71689C44748666DEFEEBB0BD48DC3D977FE1F22753C9717B050C4F98F587AC08
        SHA-512:CCF1446CF4B996944281390C841FD3A5A585AD80C4639EA14893D9F203644715F0C4A1197711B773DD3B22098974A381D825A94950847C2BCE770156CC694C09
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F. .. ......{4......~F;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....=qGF;...`.~F;......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HtYBb..............................A.p.p.D.a.t.a...B.V.1.....tYIb..Roaming.@......FW.HtYIb..........................)...R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HtYBb..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....tYob..Windows.@......FW.HtYob..........................T.$.W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HtYBb....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HtYBb....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HtYkb..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HtYjb....Q...........
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):6220
        Entropy (8bit):3.723494799935872
        Encrypted:false
        SSDEEP:
        MD5:DA59EF25F5E63F74EA7A5641E76ACADC
        SHA1:F85CCEF53C46A724CD60BE2356E4A7CDEF4B8952
        SHA-256:06C49ECD5E1CE31D9930E2E82FED61AA0FD6428BE5507EAAB8EAA74230A35A07
        SHA-512:046516CED66FDD2B8BBEBA443F5271AD90EDF7C0F5D492CC793600F9DA943E8E298517B0E1B044D195CAE02F480FE2934A60D8AE8680D89E3F4AB42AB1BCBA66
        Malicious:false
        Reputation:unknown
        Preview:...................................FL..................F.".. ......{4......lF;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4....=qGF;..@{.mF;......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HtYBb..............................A.p.p.D.a.t.a...B.V.1.....tYIb..Roaming.@......FW.HtYIb..........................)...R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HtYBb..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....GX-w..Windows.@......FW.HtYBb...........................z..W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HtYBb....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HtYBb....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HGX.w..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HtYjb....Q...........
        Process:C:\Program Files\7-Zip\7zG.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):2412832
        Entropy (8bit):6.313384830023222
        Encrypted:false
        SSDEEP:
        MD5:133B9599A57A684D6E301C63C8726CEF
        SHA1:ED79C74FD379B250D8FCC60676703E9A294806FF
        SHA-256:784B4489D8D03FBC614BEB1AD942E4AB84AC0544CC1493F06D3FA64D274CBF68
        SHA-512:40AC777F0566761A77C2A128C0994C202CAE12610CE5FB5D6C67E4AEFDBFE6682F209ECDEA73A44118E4906D029DD823C1E1BF5763661FC641CCA6639CF4F039
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.T=:.:n:.:n:.:n3..n,.:n.|;o>.:n.|>o0.:n){>o2.:nJ~?o;.:n.|9o?.:n.|?oA.:nJ~>o6.:nJ~<o;.:nJ~;o..:n:.;n..:n){3o8.:n){.n;.:n){8o;.:nRich:.:n................PE..d...b..f.........."....(.j..........l..........@.............................P%.....=.%...`...................................................!......`$.......#..J....$. )...p$......%..p............................$..@...............8............................text...8i.......j.................. ..`.rdata..p............n..............@..@.data........0"..h....".............@....pdata...J....#..L...z".............@..@.rsrc........`$.......#.............@..@.reloc.......p$.......#.............@..B........................................................................................................................................................................................................................
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with very long lines (733), with no line terminators, with escape sequences
        Category:dropped
        Size (bytes):733
        Entropy (8bit):4.544002025687337
        Encrypted:false
        SSDEEP:
        MD5:2913881FE31A9ECCFD3EDE2918A24157
        SHA1:30883558C8E6DA7AF307A9CC90E5CA0CBFC208A9
        SHA-256:6926A219492C49112D2E59641EFCF04DE21AE078094978BBD92A7EEC16611C0C
        SHA-512:01EA380BDBF08D3E15A991047FBA792119A0658B5E4825CA34AA85EC03851A92FE730D7E728F6FC43CC5062CA68C58EF719E57F70ECB88B402F38CFDA99CF210
        Malicious:false
        Reputation:unknown
        Preview:.[93mL.[33m.[45m.[0m.[93mLA.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-i.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-in.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-ins.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-inst.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-insta.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-instal.[33m.[45m.[0m.[93m.\LADMAutoInstallService.exe.[33m.[45m .[90m-install.[33m.[45m.[0m
        File type:7-zip archive data, version 0.4
        Entropy (8bit):7.999773808747258
        TrID:
        • 7-Zip compressed archive (6006/1) 100.00%
        File name:LADMAutoInstallService.exe.7z
        File size:880'530 bytes
        MD5:cf40750e9e9f7a435b259d0c7ea0924b
        SHA1:c12300d8ba4bf0f5a294e104dc5089f2cbf1cff2
        SHA256:5cd2a5951bfc4079cfe21f7fcda184fdf95e9b5f5c155c1a57af551536922966
        SHA512:852e6744578e9a99bcb4be2997505358e8d463b68f637eeda4e05d0e95eb94dc3dfc703a8e2a86b3a1c4dc12b268b19bddd50cac5648b01c43a069eec040a923
        SSDEEP:12288:p70TOjFNsPkc4kkfHHUZ6H1qhHCUU5yL1LC2S7y8huH3YWz8noU09CvmUMXZVfaD:p70KFeccbLZ6HgS0L1CvZuXYWIF8q6O
        TLSH:501533A1CF3FD34AFA1AC351D9A2547106BB8FDA074D0D438704CA83AB83D678915BD9
        File Content Preview:7z..'...].%).n...............s..4]s......;.................,..*.....Yr.`..}..Q..5..ut:.....m...N cE.H6F..\.R.F3.?].k.)Q.........7lf..8.L3.....;MY.~-...R....f..j...`.7..&........]..m...'v..f..p..v.'.-..Q:...n.z...>.....YC..<..O....E.......I\9.._.m..p......
        Icon Hash:72e2a2a292a2a2b2