Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LADMAutoInstallService.exe.7z

Overview

General Information

Sample name:LADMAutoInstallService.exe.7z
Analysis ID:1559394
MD5:cf40750e9e9f7a435b259d0c7ea0924b
SHA1:c12300d8ba4bf0f5a294e104dc5089f2cbf1cff2
SHA256:5cd2a5951bfc4079cfe21f7fcda184fdf95e9b5f5c155c1a57af551536922966
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Loading BitLocker PowerShell Module
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64_ra
  • svchost.exe (PID: 5632 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 6432 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • 7zG.exe (PID: 3908 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\LADMAutoInstallService.exe\" -spe -an -ai#7zMap13334:106:7zEvent29364 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7060 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 2560 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 4480 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6512 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rundll32.exe (PID: 6636 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 3348 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LADMAutoInstallService.exe (PID: 5156 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 2852 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -remove MD5: 133B9599A57A684D6E301C63C8726CEF)
    • LADMAutoInstallService.exe (PID: 3916 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install MD5: 133B9599A57A684D6E301C63C8726CEF)
  • LADMAutoInstallService.exe (PID: 5488 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
  • LADMAutoInstallService.exe (PID: 4112 cmdline: "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" MD5: 133B9599A57A684D6E301C63C8726CEF)
    • UDCC Launcher.exe (PID: 3192 cmdline: "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe" MD5: EF8133C607A3A4DA67DC606B9396088A)
  • cleanup
No yara matches
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5728, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 7064, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5632, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: download.lenovo.com
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: classification engineClassification label: mal48.evad.win7Z@29/20@2/41
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\LADMAutoInstallService.exe
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeMutant created: \Sessions\1\BaseNamedObjects\UDCCLauncher
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5932:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxax403i.5ku.ps1
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\LADMAutoInstallService.exe\" -spe -an -ai#7zMap13334:106:7zEvent29364
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -remove
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -remove
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe "C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe"
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mswsock.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winnsi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: schannel.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ntshrui.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cscapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mswsock.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winnsi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: schannel.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: dpapi.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: winsta.dll
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: uilib_d_x64.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: winmm.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: d3d9.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile written: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\config.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeJump to dropped file
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UiLib_d_x64.dllJump to dropped file
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile created: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7528
Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 6744Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1228Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exe TID: 2060Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -remove
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe "C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe" -install
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Program Files (x86)\UDCCLauncher\UDCC Launcher\UDCC Launcher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
11
Process Injection
12
Masquerading
OS Credential Dumping3
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)42
Virtualization/Sandbox Evasion
Security Account Manager42
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA Secrets3
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials23
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
t-9999.t-msedge.net
13.107.213.254
truefalse
    unknown
    download.lenovo.com
    unknown
    unknownfalse
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      23.212.88.224
      unknownUnited States
      16625AKAMAI-ASUSfalse
      184.28.90.27
      unknownUnited States
      16625AKAMAI-ASUSfalse
      40.126.32.72
      unknownUnited States
      8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
      IP
      127.0.0.1
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1559394
      Start date and time:2024-11-20 13:28:52 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:27
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • EGA enabled
      Analysis Mode:stream
      Analysis stop reason:Timeout
      Sample name:LADMAutoInstallService.exe.7z
      Detection:MAL
      Classification:mal48.evad.win7Z@29/20@2/41
      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.126.32.72, 40.126.32.76, 40.126.32.140, 40.126.32.134, 40.126.32.74, 20.190.160.22, 40.126.32.136, 20.190.160.20, 52.149.20.212
      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, login.live.com, e16604.g.akamaiedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: LADMAutoInstallService.exe.7z
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:PE32+ executable (GUI) x86-64, for MS Windows
      Category:dropped
      Size (bytes):1058592
      Entropy (8bit):7.129412434024571
      Encrypted:false
      SSDEEP:
      MD5:EF8133C607A3A4DA67DC606B9396088A
      SHA1:E9AB35E215AA38BCB498E7309E457A8431382EC7
      SHA-256:2F7F35FB28B409FB33DD152B4FAEF937E2247D50B448D4C55B7C0993929A6507
      SHA-512:F4913DDD01E0D63A456D3297CF14AC4E154CE1D19C44684656CD4B0C3DF4C96F420F108C6094A2EEAF0026A7F519CB2E55E1EE2FD2754D46991042D0A4CA973D
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x.....Jx......x......x..=....x..=....x.......x..=...x......x...x...y.......x....=..x.......x..Rich.x..........PE..d.....7g.........."....(.p...........7.........@.............................P......v.....`.................................................0................0...N...... )...@..t...0[..p....................]..(....Y..@............................................text....o.......p.................. ..`.rdata..Je.......f...t..............@..@.data....9..........................@....pdata...N...0...P..................@..@.fptable.............H..............@....rsrc................J..............@..@.reloc..t....@......................@..B........................................................................................................................................................................................................
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
      Category:dropped
      Size (bytes):2116384
      Entropy (8bit):6.541809348870811
      Encrypted:false
      SSDEEP:
      MD5:49BB90BE6748F44AA335CBE5FDC025D8
      SHA1:19719504BA0FE8A4FEC0EDF5C4E9E7D6F0519F0C
      SHA-256:856D463B3EDAF591CAF07C3EE9264C7E0126837D338F4563519B1057DEBE9E3D
      SHA-512:1E52AD1998D34C7AD4762BED2170A0C3A72C9801D4CDD978E7D6FF0271AE1123CF189AACDA3E7D717BD96612BB41F5DAD69603DDAF3D301143AB032BB67FD061
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{+./?J.|?J.|?J.|t2.}*J.|t2.}.J.|.6.}/J.|.6.}5J.|t2.}>J.|.6.}oJ.|t2.}.J.|t2.}*J.|?J.|yK.|.7.}.J.|.7.}>J.|.7.|>J.|.7.}>J.|Rich?J.|................PE..d.....Me.........." ...#...................................................... .....r. ...`.............................................t[...Z.......p ...... ...4..." . ).... ..D..`...p.......................(... ...@............................................text.............................. ..`.rdata..............................@..@.data............:...f..............@....pdata...4... ...6..................@..@_RDATA..\....` .....................@..@.rsrc........p .....................@..@.reloc...D.... ..F..................@..B........................................................................................................................................................................................
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):35
      Entropy (8bit):4.128724445269141
      Encrypted:false
      SSDEEP:
      MD5:C1471EAE6B46AD8C0BD5CC9C33133B4A
      SHA1:66B1FB224C8A3936BFE792EA97DE3568E0E74FDB
      SHA-256:693BD4C0B71347FD3806512824C54040D42E464B30137B0D23383E6AEAE8477E
      SHA-512:B02A6076695E3B3F9D115FAA7023B745B61031DDF19A0F7D0F963F35A6664EE31C90C64360A21459AC7FDE7D9B41378785A7C645646579CC5048698900A8E090
      Malicious:false
      Reputation:unknown
      Preview:[Settings]..prompt=false..times=0..
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:ASCII text, with CR line terminators
      Category:dropped
      Size (bytes):9
      Entropy (8bit):2.4193819456463714
      Encrypted:false
      SSDEEP:
      MD5:3E0D4685A4853B77511FB4422E972579
      SHA1:21C04CA821D7A123B87A9A92331A70BB2FCEF443
      SHA-256:FE24D3350D22E5CEA07D80E6386BFF2CEEA3C1977FD4C2C7D4938E66095F9181
      SHA-512:680E56FC770201C200C4D6A12BD9DEDF1ECD849D13613903877EB33A7735840D8286A2DAF864E9813CCA4687E7384621A21CB106204A2E290CE02A4965537FC4
      Malicious:false
      Reputation:unknown
      Preview: 1.0.1.4.
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:Zip archive data, at least v1.0 to extract, compression method=store
      Category:modified
      Size (bytes):1506050
      Entropy (8bit):7.997012997865229
      Encrypted:true
      SSDEEP:
      MD5:EBD4968898A1B63F53B6919F5216914E
      SHA1:4E2D1AF438A172999706C43EEA57601178781D61
      SHA-256:9113C7D3038318FA243DA865283D724290E1A406AAF0B5D147504E877C7EDBD0
      SHA-512:5B88C9D14BF4F4582D1AE10A983108FD720822737FEF124DE0A2D4721DEC47A4050E2D91C1A95191C2A12AF81083AE30C682300B8E848835357B52F08735ED8E
      Malicious:false
      Reputation:unknown
      Preview:PK.........oY................UDCC Launcher/PK.........oY...s%...#.......UDCC Launcher/config.ini..N-)..K/...*(..-(.MK.)N..*..M-.5....PK........{.oY!s..... '......UDCC Launcher/UDCC Launcher.exe.;.pT....a.,. i......q5.......Wg.}.Wb.'.. ..6.h.%M(.\V.V..'}C..O..B@..E.......E..tA.P. .w..s.w.&..7.v&.{....w..}........B.q.l..6.>12..B..K..$...MhS..&T.,Z..].l......].tY2t....EKC.w........>.0G.u.KM}.o.........wv~...;....s.;O....O.............Kwf.G....B.;.....#Y.n..;...:B..tB..x(.\z.B.v.\F..FFH-..s.m...B...S.a.....o...2..&@.... ..ny$..J.~.+ ....6.....{.........A...Z...!...n.g..V..w(..)N..O..G...C ...."..x......@A...~'...vb..........5......^\..QF*+I.....Xqumr.K...U..{....[.b.<B....s.....X...K..#.K.)..|..p7......XDM...- .. }O.n..M......#..k.....k.........S....|.!.5.F..GlPF.E..S..sA..5.~.{.....z........4.....]....]..O.6.+}h...j......;........*'`..;.%..2...1._+._.../E......q>.l..WSE..y...v...^.'q5.yB..O.cw..!..W.D\].V.....z.....D{Wm...o'.{`..{.....5..kE.].$.
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):61426
      Entropy (8bit):5.07948872134001
      Encrypted:false
      SSDEEP:
      MD5:6AAF3527C80775C9128AE5B7BC0ECB4F
      SHA1:7EEF74B516BD09A29E6AECA628B76863768EEDED
      SHA-256:80812FF347086EDF15401EA1B2AC96881633B4F0FC1D2C7D3B443821770562E3
      SHA-512:58D78A85601CB830F87A6B0496BD001FA469F4B66AFAC99543C1E2021E82A819DAEE482F8F296512788B857508008708DF49427123DB775D684AE1C2F1A0A1BB
      Malicious:false
      Reputation:unknown
      Preview:PSMODULECACHE.]...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Reputation:unknown
      Preview:# PowerShell test file to determine AppLocker lockdown mode
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):199
      Entropy (8bit):4.626707226966147
      Encrypted:false
      SSDEEP:
      MD5:B64B84BB60737F2A6A412231408EDC27
      SHA1:5CFA9FA878193D412BE196A01CB6D961BD98B759
      SHA-256:A983EB27E2EDBDBD5C1F58A0E3AC3E7162C998C0D415D25AD170D99A6A0BF6E3
      SHA-512:A4FAB0A0720A94FAE665A8A2C74B7386C5417EFD170FDC531CE2E8B0A606883F3FD3B4398EDE3ADAAEE2EE40B6B09431BF30C3434907150FCA453FD63DABF139
      Malicious:false
      Reputation:unknown
      Preview:cd C:\Users\user\Desktop\LADMAutoInstallService.exe...\LADMAutoInstallService.exe -install...\LADMAutoInstallService.exe...\LADMAutoInstallService.exe -remove...\LADMAutoInstallService.exe -install..
      Process:C:\Program Files\7-Zip\7zG.exe
      File Type:PE32+ executable (console) x86-64, for MS Windows
      Category:dropped
      Size (bytes):2412832
      Entropy (8bit):6.313384830023222
      Encrypted:false
      SSDEEP:
      MD5:133B9599A57A684D6E301C63C8726CEF
      SHA1:ED79C74FD379B250D8FCC60676703E9A294806FF
      SHA-256:784B4489D8D03FBC614BEB1AD942E4AB84AC0544CC1493F06D3FA64D274CBF68
      SHA-512:40AC777F0566761A77C2A128C0994C202CAE12610CE5FB5D6C67E4AEFDBFE6682F209ECDEA73A44118E4906D029DD823C1E1BF5763661FC641CCA6639CF4F039
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.T=:.:n:.:n:.:n3..n,.:n.|;o>.:n.|>o0.:n){>o2.:nJ~?o;.:n.|9o?.:n.|?oA.:nJ~>o6.:nJ~<o;.:nJ~;o..:n:.;n..:n){3o8.:n){.n;.:n){8o;.:nRich:.:n................PE..d...b..f.........."....(.j..........l..........@.............................P%.....=.%...`...................................................!......`$.......#..J....$. )...p$......%..p............................$..@...............8............................text...8i.......j.................. ..`.rdata..p............n..............@..@.data........0"..h....".............@....pdata...J....#..L...z".............@..@.rsrc........`$.......#.............@..@.reloc.......p$.......#.............@..B........................................................................................................................................................................................................................
      Process:C:\Windows\System32\svchost.exe
      File Type:JSON data
      Category:dropped
      Size (bytes):55
      Entropy (8bit):4.306461250274409
      Encrypted:false
      SSDEEP:
      MD5:DCA83F08D448911A14C22EBCACC5AD57
      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
      Malicious:false
      Reputation:unknown
      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:modified
      Size (bytes):4926
      Entropy (8bit):3.245455997777712
      Encrypted:false
      SSDEEP:
      MD5:C3AA07D2A19342C96B823EE921190C03
      SHA1:B44380C9739E5534AA59A69CC5356BA21E7E8AA6
      SHA-256:20D96CEB78A2E77F36BA0EFC7F4E1A6666703A6C9566C63E23B2EAAFC799C700
      SHA-512:F0E9CCBB7562EF2567E03C9E14B23BEB971CF32F82FE2F009AF77F73878BE1369C85E7C2B44BAFCD7FF30ABDF6383B9412CECAB972B05B4E2605E52A1C12F7AB
      Malicious:false
      Reputation:unknown
      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
      Process:C:\Users\user\Desktop\LADMAutoInstallService.exe\LADMAutoInstallService.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):97
      Entropy (8bit):4.444100857916273
      Encrypted:false
      SSDEEP:
      MD5:3F36EEC6D30BC517AD83FCAB90E49D32
      SHA1:FC47051EA3B2E9D3520909F53B13286436831D90
      SHA-256:6A8086D2D33E414171BB5FBF01BC7EE4A12B7780740D75A8F66B394D6D7EF19F
      SHA-512:8D0E46F68BB90013C0A73AA3B08B0D5CF7A91EB1F2A7009E1747BD3350A794D9AE7ED0B69BE152F1C1204020017A144BEB9B005B0E388B3AADAAD888A79AD42E
      Malicious:false
      Reputation:unknown
      Preview:Stopping LADMLauncherService...LADMLauncherService is stopped...LADMLauncherService is removed...
      File type:7-zip archive data, version 0.4
      Entropy (8bit):7.999773808747258
      TrID:
      • 7-Zip compressed archive (6006/1) 100.00%
      File name:LADMAutoInstallService.exe.7z
      File size:880'530 bytes
      MD5:cf40750e9e9f7a435b259d0c7ea0924b
      SHA1:c12300d8ba4bf0f5a294e104dc5089f2cbf1cff2
      SHA256:5cd2a5951bfc4079cfe21f7fcda184fdf95e9b5f5c155c1a57af551536922966
      SHA512:852e6744578e9a99bcb4be2997505358e8d463b68f637eeda4e05d0e95eb94dc3dfc703a8e2a86b3a1c4dc12b268b19bddd50cac5648b01c43a069eec040a923
      SSDEEP:12288:p70TOjFNsPkc4kkfHHUZ6H1qhHCUU5yL1LC2S7y8huH3YWz8noU09CvmUMXZVfaD:p70KFeccbLZ6HgS0L1CvZuXYWIF8q6O
      TLSH:501533A1CF3FD34AFA1AC351D9A2547106BB8FDA074D0D438704CA83AB83D678915BD9
      File Content Preview:7z..'...].%).n...............s..4]s......;.................,..*.....Yr.`..}..Q..5..ut:.....m...N cE.H6F..\.R.F3.?].k.)Q.........7lf..8.L3.....;MY.~-...R....f..j...`.7..&........]..m...'v..f..p..v.'.-..Q:...n.z...>.....YC..<..O....E.......I\9.._.m..p......
      Icon Hash:72e2a2a292a2a2b2