Edit tour

Windows Analysis Report
AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip

Overview

General Information

Sample name:	AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip
Analysis ID:	1564126
MD5:	a47911623f823f1f51d9ab00fdfdd6df
SHA1:	2763c4e94e0cb9519c8be3d025c09edef47cbcfc
SHA256:	33ec0473b9bce82057f67dbc4d4c8dd23b797da52725ab67bf01f12ecabf2ecd
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Loading BitLocker PowerShell Module

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Enables driver privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 4244 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

svchost.exe (PID: 2660 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe (PID: 3740 cmdline: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" MD5: A4817DFEBA100675F1206F9C44BBC413)

ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe (PID: 5996 cmdline: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" MD5: A4817DFEBA100675F1206F9C44BBC413)

powershell.exe (PID: 3992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

drvinst.exe (PID: 2844 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\asmfilter64.inf" "9" "4747f8e13" "000000000000014C" "WinSta0\Default" "0000000000000170" "208" "C:\Users\user\AppData\Local\Temp\supd" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" MD5: A4817DFEBA100675F1206F9C44BBC413)

powershell.exe (PID: 6760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 3476 cmdline: C:\Windows\system32\WerFault.exe -u -p 3868 -s 1268 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 4932 cmdline: C:\Windows\system32\WerFault.exe -u -p 3868 -s 588 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe (PID: 5140 cmdline: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" MD5: A4817DFEBA100675F1206F9C44BBC413)

ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe (PID: 5652 cmdline: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" MD5: A4817DFEBA100675F1206F9C44BBC413)

powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 3736 cmdline: C:\Windows\system32\WerFault.exe -u -p 5652 -s 1416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 4480 cmdline: C:\Windows\system32\WerFault.exe -u -p 5652 -s 1404 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3992, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1 , ProcessId: 2924, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" , CommandLine: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe, NewProcessName: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe, OriginalFileName: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5728, ProcessCommandLine: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" , ProcessId: 3868, ProcessName: ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe" , ParentImage: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe, ParentProcessId: 5996, ParentProcessName: ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}", ProcessId: 3992, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2660, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_c9d473b37ba31f36943cbeec7a8eee2143608247_85207d7d_765a0975-4c77-4863-b66d-e4895280e3a2\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_595b6114-c88d-4482-b6ef-a361603a70c8\

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe

File created: C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\SET79A9.tmp

Jump to dropped file

File created: C:\Users\user\AppData\Local\Temp\supd\asmfilter64.sys

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\asmfilter64.inf_amd64_40710894ecb43d13
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET8215.tmp

Process token adjusted: Load Driver

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3868 -s 1268

Source: classification engine

Classification label: mal64.evad.winZIP@30/29@0/11

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3868
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5652
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03

File created: C:\Users\user\AppData\Local\Temp\supd\

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe"
Source: unknown	Process created: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\asmfilter64.inf" "9" "4747f8e13" "000000000000014C" "WinSta0\Default" "0000000000000170" "208" "C:\Users\user\AppData\Local\Temp\supd"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3868 -s 1268
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3868 -s 588
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: unknown	Process created: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe"
Source: unknown	Process created: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe "C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5652 -s 1416
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5652 -s 1404
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: newdev.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvsetup.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvstore.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: newdev.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvsetup.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: newdev.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvsetup.dll
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip

Static file information: File size 2569501 > 1048576

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\asmfilter64.sys
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\asmfilter64.sys
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\asmfilter64.sys

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\devconAMD64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\asmiodll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	File created: C:\Users\user\AppData\Local\Temp\supd\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\cimv2 : Win32_PnPEntity

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	System information queried: FirmwareTableInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1583
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6865
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2849
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6741
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1898
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5182
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4534

Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\supd\devconAMD64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\supd\asmiodll.dll	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6668	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep count: 1583 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep count: 7930 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792	Thread sleep count: 3007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792	Thread sleep count: 6865 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep count: 2849 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep count: 2564 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2664	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 1284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2132	Thread sleep count: 1528 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 6741 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2132	Thread sleep count: 4514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 5139 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3436	Thread sleep count: 1898 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4680	Thread sleep count: 1545 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1836	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4988	Thread sleep count: 5182 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136	Thread sleep count: 4534 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_c9d473b37ba31f36943cbeec7a8eee2143608247_85207d7d_765a0975-4c77-4863-b66d-e4895280e3a2\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_595b6114-c88d-4482-b6ef-a361603a70c8\

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {$wd = Get-Location; Start-Process -Wait powershell.exe -WindowStyle hidden -Verb RunAs -ArgumentList \"-ExecutionPolicy RemoteSigned -Command Set-Location $wd;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command Set-Location C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381C:\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1;C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1

Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1
Source: C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {$wd = get-location; start-process -wait powershell.exe -windowstyle hidden -verb runas -argumentlist \"-executionpolicy remotesigned -command set-location $wd;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1\"}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy remotesigned -command set-location c:\users\user\desktop\ab05_wrk_bld01_2024-11-27_20_05_35.381c:\users\jessf\downloads\asmx4242_fwupdatev40013_u424241022200011acmapdv1\asmx4242_fwupdatev40013_u424241022200011acmapdv1;c:\users\user\appdata\local\temp\supd\remoteusb4.ps1

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\asmfilter64.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	31 Masquerading	OS Credential Dumping	22 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 LSASS Driver	11 Process Injection	241 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	11 Process Injection	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	122 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\supd\asmiodll.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\supd\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\supd\devconAMD64.exe	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.52.182.8	unknown	United States	20940	AKAMAI-ASN1EU	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564126
Start date and time:	2024-11-27 21:06:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Sample name:	AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip
Detection:	MAL
Classification:	mal64.evad.winZIP@30/29@0/11
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_595b6114-c88d-4482-b6ef-a361603a70c8\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5952687993305397
Encrypted:	false
SSDEEP:
MD5:	2F9F7A62BE3FF7B03DFE8688F7F20E47
SHA1:	9657B1062460795A7A115C4AD8BC6A770C9B0B31
SHA-256:	9BE40D7C9A2001734DBAE55E998316FC03FF47568829669D0E4AB97BD45090D8
SHA-512:	309A7523C653FD72E693746E1A72444E63BC38DD675446FF18775B13C52A194432ADF4F896173489B6EFA52816A901B28E1D46C04ECB642C79162EDEBC646729
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.2.1.1.6.7.3.1.7.7.5.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.2.1.1.6.7.3.7.8.2.5.0.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.5.b.6.1.1.4.-.c.8.8.d.-.4.4.8.2.-.b.6.e.f.-.a.3.6.1.6.0.3.a.7.0.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.a.1.1.f.3.8.-.f.7.3.5.-.4.1.3.5.-.8.5.8.c.-.b.1.d.2.b.4.2.4.0.d.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.1.c.-.0.0.0.1.-.0.0.1.6.-.a.0.1.5.-.b.e.0.5.0.8.4.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.A.S.M.x.4.2.4.2._.F.W.U.p.d.a.t.e.V.4.0.0.1.3._.u.4.2.4.2.4.1.0.2.2.2.0.0.0.1.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_625b3484-5f6c-4f99-83d4-23a9c60de47c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5954344359000235
Encrypted:	false
SSDEEP:
MD5:	E2686FD808E6DD6AF0B71D05804E98C9
SHA1:	3D645CFE5F5FDE4EE77B23F4CB5F79298C6095FE
SHA-256:	2BFCF41D818A555C6012E2290B6B1545938ABF665B17547B7D9FFDC0C87BBBDA
SHA-512:	44344D93250A66C59C4FEC13D29B3254F448A22012933ABB334A56ECB5F9CF144AE98CEA23FBEA110BDFE51B978A0B7A6ED03434B09008B95766B4645BD71107
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.2.1.1.6.9.9.4.3.6.5.7.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.2.1.1.6.9.9.9.7.6.5.9.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.5.b.3.4.8.4.-.5.f.6.c.-.4.f.9.9.-.8.3.d.4.-.2.3.a.9.c.6.0.d.e.4.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.7.a.e.c.d.d.-.0.2.5.6.-.4.3.5.0.-.a.d.1.c.-.b.c.9.8.a.8.e.a.2.9.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.1.4.-.0.0.0.1.-.0.0.1.6.-.f.a.b.d.-.3.6.1.5.0.8.4.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.A.S.M.x.4.2.4.2._.F.W.U.p.d.a.t.e.V.4.0.0.1.3._.u.4.2.4.2.4.1.0.2.2.2.0.0.0.1.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_c9d473b37ba31f36943cbeec7a8eee2143608247_85207d7d_765a0975-4c77-4863-b66d-e4895280e3a2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5952622801245282
Encrypted:	false
SSDEEP:
MD5:	C660254C5B245C8814CBA88937FB3B78
SHA1:	36F9A58743846E26BA339A55ACAE40A0649A58F3
SHA-256:	61E34F2A3C27A3B71D0875A237D5DEDF8941840709506ADBF8C1C999F69E2C87
SHA-512:	AAC9A1D87D4C31387B4B2A6DAC9F9D0859DC6F6CF3952E9B0090E11FDD6109166B0C45AB4D288A8B45B6739296F4068C8729DC343D9A7F066DE876A16C7CD77A
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.2.1.1.6.8.3.3.7.3.2.1.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.2.1.1.6.8.3.7.5.7.2.0.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.5.a.0.9.7.5.-.4.c.7.7.-.4.8.6.3.-.b.6.6.d.-.e.4.8.9.5.2.8.0.e.3.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.1.8.0.7.e.1.-.b.e.8.f.-.4.6.e.2.-.b.d.b.c.-.e.b.8.3.8.8.e.4.1.6.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.1.c.-.0.0.0.1.-.0.0.1.6.-.a.0.1.5.-.b.e.0.5.0.8.4.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.A.S.M.x.4.2.4.2._.F.W.U.p.d.a.t.e.V.4.0.0.1.3._.u.4.2.4.2.4.1.0.2.2.2.0.0.0.1.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER128D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 27 20:08:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	175956
Entropy (8bit):	1.5604147161613107
Encrypted:	false
SSDEEP:
MD5:	16DCA443B375ED66B6742E8695762904
SHA1:	B400C9E79784C338A5BC14138115DB831F191BA1
SHA-256:	2B6E5A591BC5C72C8DFF4D8127662AB96F9A78FF289F93AE3C0AE80C5433C6C3
SHA-512:	EE31201CE515C6E131DB53278D33FADD7B49A89606B12BCB748AE7387390D79FA3C7DD321EAC30DD8BB5ADA6899269269D05FA3B279E099C513590498CCAE25D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......3\|Gg....................................<....$...........d..........`.......8...........T...........H1...~...........%...........&..............................................................................eJ.......'......Lw......................T...........*\|Gg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER130B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9042
Entropy (8bit):	3.695835470031319
Encrypted:	false
SSDEEP:
MD5:	8EF54061C65C051A05CCD7B5434D7881
SHA1:	0A1B97A7EF2A9BF86A22525ADE3E0EA1644C0572
SHA-256:	2B0657A34548BDF38866FBC584DC453111DB0E8CB0B8BDB75AB504765395CCE6
SHA-512:	F7B203A454AA838BC72D77989C07E8BA4F76786FA4B55216BB6A258BF298695A20DFD894FCFD8ED7A995B584862286F94DB05D0F4F9F8C19260EB2C2145DE636
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER133B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.485544777978416
Encrypted:	false
SSDEEP:
MD5:	687CA99C56042BF6531ECD22DA6F243D
SHA1:	739A7D405610F82D362A9A52D9B5D61C39A67497
SHA-256:	1262CFD5EC28003679612ED2E2A960B05611B93F158D8A49A9E03F8298A3494C
SHA-512:	48998D5CC7D053A970893C137316CD6FD07D610E44F55EFBF98857324F4D42A521586CB813347A0EDE184F32A5BF2847734B5ECA690BA2CBC7F84FE8181D08B3
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="606911" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D9A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 27 20:08:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	168652
Entropy (8bit):	1.4898506073311315
Encrypted:	false
SSDEEP:
MD5:	8F8F4955761E2E2CD4A14E380B879743
SHA1:	C478550F6E3F2E2DC5051F1C2A24D454895F605F
SHA-256:	6C2D9837D522AF3CB7A8C2C843B59AACED974B7F8D529A78A780956EE2445096
SHA-512:	A56CF5C10FBF5068C80115512A3A069FD5E470900ED6AAE8D10D8A9465234568215E8722679548C192029A446802E81019298389ED3C281A7702DF69D7F2D78F
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......6\|Gg....................................<....$...........d..........`.......8...........T............0...a...........%...........&..............................................................................eJ.......'......Lw......................T...........*\|Gg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E08.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9044
Entropy (8bit):	3.693773698221882
Encrypted:	false
SSDEEP:
MD5:	B2AD1C04A32BFBCA950DD3A3EF4110B5
SHA1:	727C51DAFACA935AA94D516EE2DE1E929D0437A5
SHA-256:	4C3EC3157FBED7F075FAA8BEC35D2504EB82C2C413EDF69F45E58B536EBC5C02
SHA-512:	4E411492FA39B39E1F09887322857FC43EE786E9077FA4DD248E1785AB4BD902537598DD696CBB7085A058F37E50D7573E8782AA65D87863B9406F354A145F6D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E28.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.4890233020435675
Encrypted:	false
SSDEEP:
MD5:	513A713017FE3C24FA14CFA2D614CA64
SHA1:	A0A6E6658EA508623C868B6082D54DD57C48A049
SHA-256:	B1C765ADF2BF0DE6461E21F368799817574D9ACBB46014A87D23D7375D462603
SHA-512:	36F5D5B1BEDF12480D51ACF3B713229C8999310BCA3BE60991F05FE32AB64DD7F8395B5E07CD441867B89794B4F2F72009D8E445E8DF4B919AD638DDF676D9B2
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="606911" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC03.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 27 20:07:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	170564
Entropy (8bit):	1.5934837827912027
Encrypted:	false
SSDEEP:
MD5:	3E0077E62815488B4D40F3BCEF97A571
SHA1:	31CBA09175024101E3348009DDB17B9D390C9BD6
SHA-256:	0A5F56D4140078478E1279DCA7D46BB462E9679F3114F77539C1DBB41B1605BD
SHA-512:	83EC8EF667787C25DCFCAAA257708201B87F00118EE14957BE9260FDA3E4010C3289A11EDF378EF43A0595DCE5266BF65E8868DA961763366FD9EFF765C87DAC
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........\|Gg....................................<....$...........d..........`.......8...........T...........H1...h...........%...........&..............................................................................eJ.......'......Lw......................T............\|Gg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACEF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8846
Entropy (8bit):	3.693146206090679
Encrypted:	false
SSDEEP:
MD5:	FD3725AE3E1EAC78427D6DDDCF6ACCF6
SHA1:	9658CCC41716D53E34187917B3B43D56BFBD2CAF
SHA-256:	EF0D8B756C55A446DCE270E97853F9A20049A7026289D3A47ADB7BDF1EE588BE
SHA-512:	5E5F31F06EF0851A27E02D2D6F6806AFFEBB95C237307257EDD45E1B905CB321CD12D2EA184A36513C059358CA2AA61DD60389A56F22CF4888E41626947CA637
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD1F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.486830172721679
Encrypted:	false
SSDEEP:
MD5:	EB5F7F778C5C473D51CB67F374C6CDE8
SHA1:	6C48F5CB1BA129CA902BBC53BE5446CF6A582EE8
SHA-256:	BCA35E108199A23622BD1D34718FA11C2B70E7FF356B1A1DD1B8F699ADAE591E
SHA-512:	C44459EF05EE858671698BA3E7D9818D488814246BA4978F4C9CB1153ED414D4A09FCCA5564A6283DABEDAE9F18E84447D3319709A9CF6F1CFFB4FD8EC64C78B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="606910" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3CF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 27 20:08:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	163300
Entropy (8bit):	1.5225026410525386
Encrypted:	false
SSDEEP:
MD5:	778AA3465A447733737FF56BDBD2DA2D
SHA1:	BAB5E926B8720D330E179800FB01B4230518D6E5
SHA-256:	4296633B2DE0FA24FAB49A06B737170F343E8851B761FA19E81B4286D7359E97
SHA-512:	1BF59D9A8906196D2D1F2819C8F9EC3AC65F15FF6594AE3B15A93388B5233B8A8BBD37F485A32B6DCF5495982C619A8489FE9E0462D8AA01EBE8BABAA6C3BEEB
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......#\|Gg....................................<....$...........d..........`.......8...........T............0...L...........%...........&..............................................................................eJ.......'......Lw......................T............\|Gg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD44D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8854
Entropy (8bit):	3.691637281581255
Encrypted:	false
SSDEEP:
MD5:	5B9527C2A677C180AF37C993158731D2
SHA1:	22682EC7E35C65C737D5B2275E45219AD2503F43
SHA-256:	53851F5DF8205BB2CB1F3777D9C110EBF29BFCE32644DC8A54B588BFEBEDF89A
SHA-512:	6D1FFA35ADE6DF9749E76D92AD621192833BFDE32F8D1130C1869F3CAF489797A69A2A204DE7B3AC238E381260FC6B6436E7FF3149132099BFF354A7EF10657B
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD46D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.487316003322568
Encrypted:	false
SSDEEP:
MD5:	99D6315018543045A805D57F09471D66
SHA1:	30ACD10F7F6C647C905503B11A7355595AE2F181
SHA-256:	19A7A1C6F6EF4B13331339844DDC6F65BB4C7218490BFD1B0F438F49EC412E20
SHA-512:	975BC05D0CDD26581120DC1C12B6DD0F1342513B37464973DED4A87502B0E3659C1E50B1C917A89A2B0D32841B4996434C6FC11B555F52567D11D19DD3530A31
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="606910" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	20288
Entropy (8bit):	5.491268476883408
Encrypted:	false
SSDEEP:
MD5:	3AC1ACBF29111335E22D894AAE3106B2
SHA1:	5050C90A6FBCA04327B5377A9AB51A8583DE164D
SHA-256:	878D679AA88A012F669C91503D43085B8377AE7920CE240774A834FF8CBAD8A5
SHA-512:	A7DC921EA3163C38A68279C28B5D108CA588757F54A4453FCB23F85DC5505069D557D230F4CCABC388E3240693B1B3D90E44FD1654089D85019D85D63DB6FB60
Malicious:	false
Reputation:	unknown
Preview:	@...e...........T...!................................@..........H...............o..b~.D.poM...C..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................gQ?O.....x5.N.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E.....c.....(.Microsoft.PowerShell.Commands.ManagementD....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1izv5tgl.woj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\supd\ASMXu424FW.rom

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	data
Category:	dropped
Size (bytes):	409848
Entropy (8bit):	5.869442465584855
Encrypted:	false
SSDEEP:
MD5:	3FC3F51122DDC22C8A5ED79765B9B828
SHA1:	C43015FA3D30FD6AF48901CB7A8E9884333B3EF5
SHA-256:	C675C2FF2787A9A773139D805AD6C81F21982C9A6451B1A07D6773C72B71052B
SHA-512:	06F2383F677F8E48413E45571A0BACA204FEF62F55364EEB76DC9EA78C1B44B04E3AA59A245E67BA993CE158D07BB62C5614EDE6C0C18E1F0436952835CF0972
Malicious:	false
Reputation:	unknown
Preview:	`......$." .........................._AS_...:.@.........................................................x.......8{..v.F.}e-!.q....m....9.N.......1...u...t.f..Y/".....P.5...............................-..........2............c........... 7YH]...s.A...............Lv.....z.{.\|.u..u..u..x.y.u....................................u..u.Zu..t....u..u..u..t....u..u..u!.u..u..u..........s.".......t....t...."3.f.......3#..3#fF...4.h..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15117
Entropy (8bit):	6.052017960304274
Encrypted:	false
SSDEEP:
MD5:	6E40FFC70E17F725AB5179BEF488A9C7
SHA1:	D082EB321852759F735DA2B9E15E0E73B6CE7069
SHA-256:	2E9F6A815F401EF1341E7BCF13F8DBD03216FBA736E726441A9A4C9B11E4AB43
SHA-512:	8F6E4B1AE589A256C9F4E709AC18857CED4684980BC38D9EC4B4EDD4B88EFE294732329614912A5E048FD3A9F9785DD000C0D02B07FD4F29519E3D7D2D0CC13E
Malicious:	true
Reputation:	unknown
Preview:	Set-ExecutionPolicy -Scope CurrentUser RemoteSigned -Force....foreach ($dev in (Get-PnpDevice \| Where-Object{$_.InstanceID -like "PCI\VEN_1B21&DEV_2423"})){&"pnputil" /remove-device $dev.InstanceId}....foreach ($dev in (Get-PnpDevice \| Where-Object{$_.InstanceID -like "PCI\VEN_1B21&DEV_2425"})){&"pnputil" /remove-device $dev.InstanceId}....foreach ($dev in (Get-PnpDevice \| Where-Object{$_.InstanceID -like "PCI\VEN_1B21&DEV_2426*"})){&"pnputil" /remove-device $dev.InstanceId}............# SIG # Begin signature block..# MIIoIQYJKoZIhvcNAQcCoIIoEjCCKA4CAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG..# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD/iU6O3tAr49+K..# BJzrFkPaLd5cEasc748aBb1lSSAc6qCCDZ4wggawMIIEmKADAgECAhAIrUCyYNKc..# TJ9ezam9k67ZMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK..# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV..# BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0z..

C:\Users\user\AppData\Local\Temp\supd\asmiodll.dll

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42960
Entropy (8bit):	6.143800046407067
Encrypted:	false
SSDEEP:
MD5:	944A6BD7483307CEA38C58898B13ECCC
SHA1:	3147BE62A624246C877B2DF3E35BA3B1EFAE2051
SHA-256:	3448FAE05F31C69C1F525F03F7161716F105DA84861E81341D2A558C73E05E99
SHA-512:	AC0CC5417FC3CB9E37FC0329CB49A94AB7EFCF345E355C80AE14C880E613C7DE38E7CF2930521CB4F625AF13B20703203AC2FFB6F07B238966CA42BDF1BBE859
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.WZ...Z...Z...Sl..\....a..X....a..U....a..R....a..Y....d..]...Z........a..X....a..[....ay.[...Z...[....a..[...RichZ...........PE..d......d.........." .....<...H......................................................h.....`..........................................v..\|....w..........8.......t........%......\|....k..p...........................`l..8............P..P............................text....;.......<.................. ..`.rdata...0...P...2...@..............@..@.data................r..............@....pdata..t............t..............@..@.rsrc...8............z..............@..@.reloc..\|...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\supd\devconAMD64.exe

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.977706172799676
Encrypted:	false
SSDEEP:
MD5:	3904D0698962E09DA946046020CBCB17
SHA1:	EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
SHA-256:	A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
SHA-512:	C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......\|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....\|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\supd\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\SET79A9.tmp

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	data
Category:	dropped
Size (bytes):	11797
Entropy (8bit):	7.235817000117338
Encrypted:	false
SSDEEP:
MD5:	6826333FBBC1E56B622D7ED3259144A5
SHA1:	CE88C62850A4CB6CFAD2B4DAC9195EEDB08FE6DD
SHA-256:	B147F9CA888900701927AB6E9BDD5D7EBA55453F6DC243972D04DF3E81FC557F
SHA-512:	7718CA249C1BBC7A6D0DE967E570EA2DE8CAE8FC8369FF693FA4E992BA5D25D6D73449EC3C8E526CD58910F6105557FEB7EB2D48C148004D9EB874A9F1D95060
Malicious:	false
Reputation:	unknown
Preview:	0.....*.H..........0.-....1.0...`.H.e......0..?..+.....7.....00..,0...+.....7.....R....C......\..230913031835Z0...+.....7.....0..p0.... ....:....8....XM...%.yR9..@.0m1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....:....8....XM...%.yR9..@.0m0......l.rq^..z.9.^g=....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...s.y.s...0.... ...Ig.V..^7..."....'..i..j..,b1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...Ig.V..^7..."....'..i..j..,b0....... ....9.M.....A.'1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6

C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\asmfilter64.cat (copy)

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	6826333FBBC1E56B622D7ED3259144A5
SHA1:	CE88C62850A4CB6CFAD2B4DAC9195EEDB08FE6DD
SHA-256:	B147F9CA888900701927AB6E9BDD5D7EBA55453F6DC243972D04DF3E81FC557F
SHA-512:	7718CA249C1BBC7A6D0DE967E570EA2DE8CAE8FC8369FF693FA4E992BA5D25D6D73449EC3C8E526CD58910F6105557FEB7EB2D48C148004D9EB874A9F1D95060
Malicious:	false
Reputation:	unknown
Preview:	0.....*.H..........0.-....1.0...`.H.e......0..?..+.....7.....00..,0...+.....7.....R....C......\..230913031835Z0...+.....7.....0..p0.... ....:....8....XM...%.yR9..@.0m1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....:....8....XM...%.yR9..@.0m0......l.rq^..z.9.^g=....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...s.y.s...0.... ...Ig.V..^7..."....'..i..j..,b1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6.4...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...Ig.V..^7..."....'..i..j..,b0....... ....9.M.....A.'1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... a.s.m.f.i.l.t.e.r.6

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Users\user\Desktop\AB05_WRK_BLD01_2024-11-27_20_05_35.381\Device\HarddiskVolume3\Users\jessf\Downloads\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1\ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	917504
Entropy (8bit):	5.324475584116417
Encrypted:	false
SSDEEP:
MD5:	5B82327D23EF6B3D9E669D1B9F2AD4A8
SHA1:	8C909B6C9C6D258EE906085FE9A54C0BC9550E64
SHA-256:	8C7729097109E3D874F673C3BEC6F38A766F3B90A41E729762AC8DBDF6AB10B8
SHA-512:	4AC7256A2F571E09ED0EEB680692F97D09B3C84452FA4E91497B098C1E35B1FD069DF30BA6998985A6957184F35BDD27FA8393477F640BCD7FF805B32C5B2BF7
Malicious:	false
Reputation:	unknown
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET8274.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	2604
Entropy (8bit):	5.359544854151859
Encrypted:	false
SSDEEP:
MD5:	F53C6C142DDDF4A202604AF9E27DA805
SHA1:	B6D5CE93200BFAFF8D39E24D0F8FD9C9E2419027
SHA-256:	A9041F4967CA568C9F5E37BA99E322EA97CABFB30E27CD0369E8E06ABA8E2C62
SHA-512:	BAB997B0BA6A02DD5A0F18370E23507E0359F975686BB7DD78BF814236286378B3620059969952346999D2F724558DD897BE2A26A56C996F41331863D287EF61
Malicious:	false
Reputation:	unknown
Preview:	;/++..;..;Copyright (c) 2023 ASMedia Technology Inc.. All rights reserved...;..;Module Name:..;..; asmfilter64.inf..;..;Abstract:..; INF file for Asmedia Filter Driver...;..;--/....[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%ASMT%..CatalogFile=asmfilter64.cat..DriverVer = 09/06/2023,1.0.2.0000..PnpLockdown=1....;***********************..; Source file information..;**********************....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..asmfilter64.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12 ;system32/drivers....[ControlFlags]..ExcludeFromSelect=....;***************************************..; Asmedia filter Install Section..;***************************************....[Manufacturer]..%ASMT%=Standard,NTamd64....[Standard.NTamd64]..%filter.DeviceDesc%=FilterInstall, PCI\VEN_1B21&DEV_2421..%filter.DeviceDesc%=FilterInstall, PCI\VEN_1B21&DEV_242A..%filter.DeviceDesc%=FilterInst

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31696
Entropy (8bit):	6.819036143290088
Encrypted:	false
SSDEEP:
MD5:	280CB42BE2E65EE15202175C401AE8FD
SHA1:	B50FCE7A13D6ED69EDBF5768931F64EA290FDEA6
SHA-256:	4622F708A8608ED4199A6E941F919A5D31292FA8D57ADED51E8C3B84F5CE7A1B
SHA-512:	0585CA63F84FD7B8357DF3CE616C841D188A30321483BCB9D91B1CE5E3C7814FDAEEF4AAEC544A4ABE1C7F51D411CE84C7FEA1F2FB0ABA7AE47586F8FE8FCBAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:&..[H..[H..[H.}+O..[H.}+I..[H..[I..[H.}+K..[H.}+L..[H.Z.L..[H.Z....[H.Z.J..[H.Rich.[H.........................PE..d...m..d..........".................0 .........@..........................................`A.................................................p..P.......x....P..h....8...C......4....3..8............................3..8............0..P............................text...f........................... ..h.rdata..H....0......................@..H.data........@.......&..............@....pdata..h....P.......(..............@..HPAGE.........`.......*.............. ..`INIT.........p...................... ..b.rsrc...x............0..............@..B.reloc..4............6..............@..B................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\asmfilter64.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	F53C6C142DDDF4A202604AF9E27DA805
SHA1:	B6D5CE93200BFAFF8D39E24D0F8FD9C9E2419027
SHA-256:	A9041F4967CA568C9F5E37BA99E322EA97CABFB30E27CD0369E8E06ABA8E2C62
SHA-512:	BAB997B0BA6A02DD5A0F18370E23507E0359F975686BB7DD78BF814236286378B3620059969952346999D2F724558DD897BE2A26A56C996F41331863D287EF61
Malicious:	false
Reputation:	unknown
Preview:	;/++..;..;Copyright (c) 2023 ASMedia Technology Inc.. All rights reserved...;..;Module Name:..;..; asmfilter64.inf..;..;Abstract:..; INF file for Asmedia Filter Driver...;..;--/....[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%ASMT%..CatalogFile=asmfilter64.cat..DriverVer = 09/06/2023,1.0.2.0000..PnpLockdown=1....;***********************..; Source file information..;**********************....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..asmfilter64.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12 ;system32/drivers....[ControlFlags]..ExcludeFromSelect=....;***************************************..; Asmedia filter Install Section..;***************************************....[Manufacturer]..%ASMT%=Standard,NTamd64....[Standard.NTamd64]..%filter.DeviceDesc%=FilterInstall, PCI\VEN_1B21&DEV_2421..%filter.DeviceDesc%=FilterInstall, PCI\VEN_1B21&DEV_242A..%filter.DeviceDesc%=FilterInst

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\asmfilter64.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	280CB42BE2E65EE15202175C401AE8FD
SHA1:	B50FCE7A13D6ED69EDBF5768931F64EA290FDEA6
SHA-256:	4622F708A8608ED4199A6E941F919A5D31292FA8D57ADED51E8C3B84F5CE7A1B
SHA-512:	0585CA63F84FD7B8357DF3CE616C841D188A30321483BCB9D91B1CE5E3C7814FDAEEF4AAEC544A4ABE1C7F51D411CE84C7FEA1F2FB0ABA7AE47586F8FE8FCBAE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:&..[H..[H..[H.}+O..[H.}+I..[H..[I..[H.}+K..[H.}+L..[H.Z.L..[H.Z....[H.Z.J..[H.Rich.[H.........................PE..d...m..d..........".................0 .........@..........................................`A.................................................p..P.......x....P..h....8...C......4....3..8............................3..8............0..P............................text...f........................... ..h.rdata..H....0......................@..H.data........@.......&..............@....pdata..h....P.......(..............@..HPAGE.........`.......*.............. ..`INIT.........p...................... ..b.rsrc...x............0..............@..B.reloc..4............6..............@..B................................................................................................................................................................................

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	74041
Entropy (8bit):	5.3905534691572985
Encrypted:	false
SSDEEP:
MD5:	8BEF1C11D3051B75134E18BB1218DE24
SHA1:	DCA0D7A5EAE28FE5543338B307782E0DB3112E18
SHA-256:	35CBB0F6DB5B600EEFCDBB3A5F6E6D215689993B4CD64AB4355B5EA505544CF8
SHA-512:	68E652F8F52031362234C073908B77B5D83FDE1AC08036851E96C4E31BD4D6932E0B6B4ADD21329D95BDC8EC2530E832590858DFA02B2A178FBAF7C56BE257A1
Malicious:	false
Reputation:	unknown
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.309922022667368
Encrypted:	false
SSDEEP:
MD5:	7BE0730916470773C3B0932E1F58CD60
SHA1:	0FAC8E22C8AF2886F74BC03EC581909A599C6A3C
SHA-256:	046B15E697E8AA74AB387886F710E98E2063B96582E199D69F69AEE634771AF1
SHA-512:	45D3953AE7047F56D1E7C3C4950ED48A96AD6DEC4672A1BBD6C47BDE6705FC8A14F4D3EB123A2B22969D9419EAD2CBA6BBDB4B76CFD3016E57046B219CE59EAD
Malicious:	false
Reputation:	unknown
Preview:	regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....A.................................................................................................................................................................................................................................................................................................................................................>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.999925878508997
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip
File size:	2'569'501 bytes
MD5:	a47911623f823f1f51d9ab00fdfdd6df
SHA1:	2763c4e94e0cb9519c8be3d025c09edef47cbcfc
SHA256:	33ec0473b9bce82057f67dbc4d4c8dd23b797da52725ab67bf01f12ecabf2ecd
SHA512:	f4d7c1fd5bc210c91a632bc28e9d96c8217e8512c436e1f0a10ae5792fab40279fff3e381484c471d36ad00db69df1cca897c9cad64f3286014119aa43c2d8e8
SSDEEP:	49152:SUulxR31Hcu3b2UG247QpLV44BMEZQ07dsii74JsVHQiG4bc03mU+L:SUwV3bVG2NLiqNyik5uU+L
TLSH:	8EC5332AD6B6CE8BB79B5F87D108132B8EF2C535796F5808521FCC90A7BD170A80DB45
File Content Preview:	PK..-..............2'..G'.a...Device/HarddiskVolume3/Users/jessf/Downloads/ASMx4242_FWUpdateV40013_u424241022200011AcmAPDV1.zip.......................uM.O..K..<........59)..L.2.m.).....I.EM.fw.gk...\.D..........J.(...^....2..H&/z"v%...[.....2I...N.W..%/..

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_595b6114-c88d-4482-b6ef-a361603a70c8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_625b3484-5f6c-4f99-83d4-23a9c60de47c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_c9d473b37ba31f36943cbeec7a8eee2143608247_85207d7d_765a0975-4c77-4863-b66d-e4895280e3a2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER128D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER130B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER133B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D9A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E08.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E28.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC03.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACEF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD1F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3CF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD44D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD46D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1izv5tgl.woj.ps1

C:\Users\user\AppData\Local\Temp\supd\ASMXu424FW.rom

C:\Users\user\AppData\Local\Temp\supd\RemoteUSB4.ps1

C:\Users\user\AppData\Local\Temp\supd\asmiodll.dll

C:\Users\user\AppData\Local\Temp\supd\devconAMD64.exe

C:\Users\user\AppData\Local\Temp\supd\vcruntime140.dll

C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\SET79A9.tmp

C:\Users\user\AppData\Local\Temp\{7b74240d-a78c-3a4f-9893-61e8f502b8d5}\asmfilter64.cat (copy)

C:\Windows\INF\setupapi.dev.log

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET8274.tmp

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\SET82E2.tmp

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\asmfilter64.inf (copy)

C:\Windows\System32\DriverStore\Temp\{d76038bc-fb72-1c43-9fed-af7daa2a0b76}\asmfilter64.sys (copy)

C:\Windows\System32\catroot2\dberr.txt

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
AB05_WRK_BLD01_2024-11-27_20_05_35.381.zip