Source: | Binary string: System.Configuration.Install.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Data.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000002FC5000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Data.ni.pdbRSDSz}foQ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: v)o.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb* source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Numerics.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.DirectoryServices.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.pdb( source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.SecureBoot.Commands.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.ni.pdbRSDSJ< source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.DirectoryServices.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbz source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Data.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdb, source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.Install.pdbP source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Numerics.ni.pdbRSDSautg source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.SecureBoot.Commands.pdbx source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.Management.Infrastructure.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbf( source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbMr source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvU source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Numerics.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdbV source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Data.pdb, source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl, source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER460.tmp.dmp.8.dr |
Source: | Binary string: 0u)oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3< source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.DirectoryServices.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbe source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdbRSDS# source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Transactions.ni.pdbRSDSc source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.ni.pdbRSDSw source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER460.tmp.dmp.8.dr |
Source: | Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.Install.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbfid source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.ni.pdbRSDScUN source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: o0C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tions.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Object[])gement.Automation.InvocationInfo, System.Object[]) source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Security.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbdk"I source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Xml.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb)r source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: %%.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbe source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.pdb8"rl8"rl= source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Transactions.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\mscorlib.pdbu source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Transactions.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.pdbD source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18 |
Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23 |
Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28 |
Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8 |
Source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18 |
Source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18 |
Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR | Matched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23 |
Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR | Matched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640 |
Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR | Matched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28 |
Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR | Matched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8 |
Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: atl.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: linkinfo.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ntshrui.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cscapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: policymanager.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msvcp110_win.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: taskflowdataengine.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cdp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: umpdc.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: dsreg.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: appxsip.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: opcservices.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: atl.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: appxsip.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: opcservices.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: kdscli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: | Binary string: System.Configuration.Install.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Data.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000002FC5000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Data.ni.pdbRSDSz}foQ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: v)o.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb* source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Numerics.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.DirectoryServices.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.pdb( source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.SecureBoot.Commands.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.ni.pdbRSDSJ< source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.DirectoryServices.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbz source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Data.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdb, source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.Install.pdbP source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Numerics.ni.pdbRSDSautg source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.SecureBoot.Commands.pdbx source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.Management.Infrastructure.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbf( source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbMr source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvU source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Numerics.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdbV source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Data.pdb, source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl, source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER460.tmp.dmp.8.dr |
Source: | Binary string: 0u)oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3< source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.DirectoryServices.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbe source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdbRSDS# source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Transactions.ni.pdbRSDSc source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.ni.pdbRSDSw source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER460.tmp.dmp.8.dr |
Source: | Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.Install.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbfid source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.ni.pdbRSDScUN source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: o0C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tions.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Object[])gement.Automation.InvocationInfo, System.Object[]) source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Security.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbdk"I source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Xml.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb)r source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: %%.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbe source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Configuration.pdb8"rl8"rl= source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Transactions.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: \??\C:\Windows\mscorlib.pdbu source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Transactions.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.ni.pdb source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Management.pdbD source: WER460.tmp.dmp.8.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WER460.tmp.dmp.8.dr |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation | Jump to behavior |