Windows Analysis Report
https://get.activated.win

Overview

General Information

Sample URL:	https://get.activated.win
Analysis ID:	1633112
Infos:

Detection

Score:	88
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Powershell download and execute

Found suspicious powershell code related to unpacking or dynamic code loading

Passes commands via pipe to a shell (likely to bypass AV or HIPS)

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Abnormal high CPU Usage

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Weak or Abused Passwords In CLI

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

Source: https://get.activated.win/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.42.20:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.17:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49758 version: TLS 1.2

Source:

Binary string: \Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000006C.00000002.2045404315.000002C532DA5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.17:49742 -> 104.21.24.156:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.17:49743 -> 13.107.42.20:443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: get.activated.winConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&versionType=Commit&version=60c99742ce9ff1c675c6e381e17b0f4ccf1a57bd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dev.azure.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: get.activated.win
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: dev.azure.com
Source: global traffic	DNS traffic detected: DNS query: activated.win
Source: global traffic	DNS traffic detected: DNS query: updatecheck30.activated.win
Source: global traffic	DNS traffic detected: DNS query: l.root-servers.net
Source: global traffic	DNS traffic detected: DNS query: kms.idina.cn

Source: unknown

HTTP traffic detected: POST /report/v4?s=1RyhcZpZ3Yj1efZy8YoRNXZOnRbXJKXAO%2BQGQmrTdnWj0%2FErJDN75bPCb84DH%2BbiP2RETAe8aNJgHHeHDcJMw5%2F1dIfwfwnD0jSoAPyQXV801GYjRkprqM%2FCgD8ah10HzzmePg%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 418Content-Type: application/reports+jsonOrigin: https://get.activated.winUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: powershell.exe, 0000006B.00000002.1977590153.000001E3D8FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000003D.00000002.1587806431.000001FEE8484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft:
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/advqtdv6t35gmqvdg3dzxo4krmzq_117.0.5938.149/117.0.5
Source: svchost.exe, 0000000C.00000003.3883117966.000002093D060000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1733777446.000002093CE52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/ni
Source: svchost.exe, 0000000C.00000003.3883117966.000002093D060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000026.00000002.1501813713.0000021580097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F7395C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AAB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000026.00000002.1501813713.0000021580043000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80022000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F73956F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AAD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000026.00000002.1501813713.0000021580070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F73959E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AB1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000026.00000002.1501813713.0000021580850000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE8084C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DB0EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000065.00000002.1891852766.000002C6B1131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: sc.exe, 00000015.00000002.1458533116.000001C4F09F0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000019.00000002.1463704949.0000027B9F450000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000021.00000002.1468129194.0000017CAABF4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000023.00000002.1486766779.0000022081564000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487386546.0000021B63D64000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487386546.0000021B63D60000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487457902.0000021B63D87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1507870884.00000215FC0E4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506499292.00000215FA674000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506646336.00000215FA75C000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000027.00000002.1519764459.0000025E7D804000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1544203409.00000208AA7A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1544034671.00000208AA7A3000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000002A.00000002.1534738680.000001AF55CA0000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000002A.00000002.1534738680.000001AF55CA4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000002B.00000002.1535752362.0000022AABD54000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000002E.00000002.1539179374.000001F6719D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/
Source: WMIC.exe, 00000061.00000003.1838480469.000001F850B07000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000061.00000002.1841556404.000001F850B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/&A
Source: powershell.exe, 0000005D.00000002.1796274439.000001F7378B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/3
Source: powershell.exe, 0000005D.00000002.1814068870.000001F7519A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/B
Source: powershell.exe, 0000005D.00000002.1796274439.000001F7378B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/L
Source: mode.com, 0000004B.00000002.1699016420.000001E255FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/P
Source: powershell.exe, 00000065.00000002.1872009657.000002C697288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/Z
Source: powershell.exe, 00000065.00000002.1872009657.000002C697199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/a
Source: powershell.exe, 0000006C.00000002.1972663568.000002C518C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/b
Source: cmd.exe, 00000029.00000003.2311939104.00000208AA791000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/evaluation_editions
Source: cmd.exe, 00000029.00000003.4625774536.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/genuine-installation-media
Source: powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/l
Source: cmd.exe, 00000029.00000003.4562628105.00000208AA81B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4626651293.00000208AA81B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4343870946.00000208AA815000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver2
Source: find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.
Source: fltMC.exe, 0000003C.00000002.1559689553.00000237F5458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0
Source: find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0NUMBER_OF_PROCESSORS=4OneDrive=C
Source: sc.exe, 00000015.00000002.1458489938.000001C4F06A0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458696595.000001AC4F7C0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0NUMBER_OF_PROCESSORS=4OneDrive=C:
Source: cmd.exe, 00000029.00000003.4235237787.00000208AA826000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4238711433.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4236309430.00000208AA824000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4241695861.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4240398721.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4233813555.00000208AA826000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4270591052.00000208AA825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0max_servers=15
Source: cmd.exe, 00000029.00000003.5005548559.00000208AA817000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4267451683.00000208AAE84000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4430528966.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4704191762.00000208AB164000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4750162857.00000208AB178000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4456293363.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4185072991.00000208AA820000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4239833660.00000208AA83F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4317101175.00000208AA816000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4940774663.00000208AB17C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4267451683.00000208AAE70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4455643661.00000208AAEF2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4248781313.00000208AAE7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4454355315.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4726181959.00000208AA81A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4309128240.00000208AAE70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4426697928.00000208AB154000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4669884095.00000208AB17D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4924596457.00000208AA817000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4238711433.00000208AA819000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4701753736.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0max_servers=15n=16nceline=echo:
Source: cmd.exe, 00000029.00000003.1609605560.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609508154.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609146146.00000208AA797000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609985428.00000208AA79A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609332722.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0ncel
Source: cmd.exe, 00000029.00000003.1543237491.00000208AA78B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2464459170.00000208AAE86000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1920320452.00000208AA83E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1858660273.00000208AA828000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311594532.00000208AA842000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1762161702.00000208AAE61000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1693629331.00000208AA78F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1780652612.00000208AA845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1858206663.00000208AA840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2286026355.00000208AA793000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2329080243.00000208AA791000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.3076997949.00000208AAE5A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2190815156.00000208AA83C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1546438405.00000208AA7C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1693833875.00000208AA795000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1767224366.00000208AAE8C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1546258012.00000208AA7AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2741571330.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4264596942.00000208AA792000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2179414834.00000208AA843000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2253569955.00000208AA846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0nceline=echo:
Source: reg.exe, 00000019.00000002.1463704949.0000027B9F454000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000019.00000002.1463754951.0000027B9F480000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464392418.0000021184FA0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465412885.0000023A0F2C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0nul=
Source: powershell.exe, 0000006B.00000002.1973214575.000001E3D8D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/ps
Source: cmd.exe, 00000029.00000003.2262511390.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2286026355.00000208AA7AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2284187425.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/remove_malware
Source: cmd.exe, 00000029.00000003.2287599471.00000208AA7AF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2262511390.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2284187425.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/remove_malwareg
Source: powershell.exe, 0000006B.00000002.1979428535.000001E3DAFA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/tr
Source: powershell.exe, 0000006B.00000002.1978998781.000001E3DA930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/troubleshoot
Source: mode.com, 00000049.00000002.1616212134.000001F1A3218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/x
Source: powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/~

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.42.20:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.17:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49758 version: TLS 1.2

Too many similar processes found

Source: find.exe	Process created: 41
Source: reg.exe	Process created: 78
Source: cmd.exe	Process created: 111

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd, type: DROPPED	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 24%

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3408_1573354867			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir3408_1573354867

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC01E75	38_2_00007FFC8DC01E75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC01218	38_2_00007FFC8DC01218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC0D9BD	38_2_00007FFC8DC0D9BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC1609D	38_2_00007FFC8DC1609D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC176DC	38_2_00007FFC8DC176DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC160E5	38_2_00007FFC8DC160E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC18306	38_2_00007FFC8DC18306
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE73D6D	38_2_00007FFC8DE73D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE6149E	38_2_00007FFC8DE6149E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE6F1AA	38_2_00007FFC8DE6F1AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFF67D	38_2_00007FFC8DFFF67D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000ECD	38_2_00007FFC8E000ECD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFFF05	38_2_00007FFC8DFFFF05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF16FD	38_2_00007FFC8DFF16FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8F20	38_2_00007FFC8DFF8F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB72D	38_2_00007FFC8DFFB72D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000745	38_2_00007FFC8E000745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF279D	38_2_00007FFC8DFF279D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9FAD	38_2_00007FFC8DFF9FAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E0017D0	38_2_00007FFC8E0017D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEB80D	38_2_00007FFC8DFEB80D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8021	38_2_00007FFC8DFF8021
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA82D	38_2_00007FFC8DFFA82D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFAC8B	38_2_00007FFC8DFFAC8B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB4B4	38_2_00007FFC8DFFB4B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC4C0	38_2_00007FFC8DFFC4C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8CEB	38_2_00007FFC8DFF8CEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E0024EB	38_2_00007FFC8E0024EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFADA4	38_2_00007FFC8DFFADA4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF95CB	38_2_00007FFC8DFF95CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFD5BD	38_2_00007FFC8DFFD5BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE55F9	38_2_00007FFC8DFE55F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC5ED	38_2_00007FFC8DFFC5ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF861D	38_2_00007FFC8DFF861D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF2E5D	38_2_00007FFC8DFF2E5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF4A8D	38_2_00007FFC8DFF4A8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF029D	38_2_00007FFC8DFF029D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE2ED	38_2_00007FFC8DFFE2ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEA319	38_2_00007FFC8DFEA319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEE328	38_2_00007FFC8DFEE328
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE4B39	38_2_00007FFC8DFE4B39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE34B	38_2_00007FFC8DFFE34B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB33D	38_2_00007FFC8DFFB33D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF835D	38_2_00007FFC8DFF835D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9B7B	38_2_00007FFC8DFF9B7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEDB71	38_2_00007FFC8DFEDB71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFECB7D	38_2_00007FFC8DFECB7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB39B	38_2_00007FFC8DFFB39B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA3B9	38_2_00007FFC8DFFA3B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE73DD	38_2_00007FFC8DFE73DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF6406	38_2_00007FFC8DFF6406
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE6C29	38_2_00007FFC8DFE6C29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF7C1D	38_2_00007FFC8DFF7C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9C5E	38_2_00007FFC8DFF9C5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E001C5D	38_2_00007FFC8E001C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE08A	38_2_00007FFC8DFFE08A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEB8A9	38_2_00007FFC8DFEB8A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE90CD	38_2_00007FFC8DFE90CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFD8DD	38_2_00007FFC8DFFD8DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF891B	38_2_00007FFC8DFF891B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E003919	38_2_00007FFC8E003919
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000928	38_2_00007FFC8E000928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC91D	38_2_00007FFC8DFFC91D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF995B	38_2_00007FFC8DFF995B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA9A1	38_2_00007FFC8DFFA9A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF099D	38_2_00007FFC8DFF099D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB9ED	38_2_00007FFC8DFFB9ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFF235	38_2_00007FFC8DFFF235
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8A34	38_2_00007FFC8DFF8A34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE7A59	38_2_00007FFC8DFE7A59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA268	38_2_00007FFC8DFFA268
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E2186C8	38_2_00007FFC8E2186C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE00C1	38_2_00007FFC8DFE00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEED31	38_2_00007FFC8DFEED31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DC31348	93_2_00007FFC8DC31348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DC30CCA	93_2_00007FFC8DC30CCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DE91FDE	93_2_00007FFC8DE91FDE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DE906B8	93_2_00007FFC8DE906B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA92ED	93_2_00007FFC8DEA92ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DF313C3	93_2_00007FFC8DF313C3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0114CE	93_2_00007FFC8E0114CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFCE85	93_2_00007FFC8DFFCE85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFBE94	93_2_00007FFC8DFFBE94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1E90	93_2_00007FFC8DFF1E90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFA6B9	93_2_00007FFC8DFFA6B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00A71D	93_2_00007FFC8E00A71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007730	93_2_00007FFC8E007730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005F70	93_2_00007FFC8E005F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E012790	93_2_00007FFC8E012790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00E795	93_2_00007FFC8E00E795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00AFDA	93_2_00007FFC8E00AFDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00081B	93_2_00007FFC8E00081B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00681B	93_2_00007FFC8E00681B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE031	93_2_00007FFC8DFFE031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007075	93_2_00007FFC8E007075
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00648B	93_2_00007FFC8E00648B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005490	93_2_00007FFC8E005490
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFFCCD	93_2_00007FFC8DFFFCCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1D1D	93_2_00007FFC8DFF1D1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE567	93_2_00007FFC8DFFE567
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00CD67	93_2_00007FFC8E00CD67
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFED89	93_2_00007FFC8DFFED89
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFED9C	93_2_00007FFC8DFFED9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005E61	93_2_00007FFC8E005E61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE339	93_2_00007FFC8DFFE339
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF332F	93_2_00007FFC8DFF332F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00733D	93_2_00007FFC8E00733D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E000B95	93_2_00007FFC8E000B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007BAB	93_2_00007FFC8E007BAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFA3A5	93_2_00007FFC8DFFA3A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1BA2	93_2_00007FFC8DFF1BA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00EC4D	93_2_00007FFC8E00EC4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00FC55	93_2_00007FFC8E00FC55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF0889	93_2_00007FFC8DFF0889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0010A4	93_2_00007FFC8E0010A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00C8DB	93_2_00007FFC8E00C8DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF90D9	93_2_00007FFC8DFF90D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0080CB	93_2_00007FFC8E0080CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0108CB	93_2_00007FFC8E0108CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF30EE	93_2_00007FFC8DFF30EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00592B	93_2_00007FFC8E00592B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE174	93_2_00007FFC8DFFE174
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00E190	93_2_00007FFC8E00E190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFD1B4	93_2_00007FFC8DFFD1B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0099C1	93_2_00007FFC8E0099C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E25367B	93_2_00007FFC8E25367B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E253478	93_2_00007FFC8E253478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC01348	101_2_00007FFC8DC01348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC00CCA	101_2_00007FFC8DC00CCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC0C498	101_2_00007FFC8DC0C498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE61999	101_2_00007FFC8DE61999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE60560	101_2_00007FFC8DE60560
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFC1C20	101_2_00007FFC8DFC1C20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA5E85	101_2_00007FFC8DFA5E85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD687	101_2_00007FFC8DFAD687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD6A3	101_2_00007FFC8DFAD6A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBEEB0	101_2_00007FFC8DFBEEB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD6C3	101_2_00007FFC8DFAD6C3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA2EF2	101_2_00007FFC8DFA2EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFADF39	101_2_00007FFC8DFADF39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5FFB	101_2_00007FFC8DFB5FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA7069	101_2_00007FFC8DFA7069
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAF4DB	101_2_00007FFC8DFAF4DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA0CCF	101_2_00007FFC8DFA0CCF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBC547	101_2_00007FFC8DFBC547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB8548	101_2_00007FFC8DFB8548
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA6D55	101_2_00007FFC8DFA6D55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFACD68	101_2_00007FFC8DFACD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFADD74	101_2_00007FFC8DFADD74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB7DBB	101_2_00007FFC8DFB7DBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAC5B8	101_2_00007FFC8DFAC5B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAA5CE	101_2_00007FFC8DFAA5CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5631	101_2_00007FFC8DFB5631
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA7E6A	101_2_00007FFC8DFA7E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA0A8E	101_2_00007FFC8DFA0A8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB92DD	101_2_00007FFC8DFB92DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB6311	101_2_00007FFC8DFB6311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB9B7D	101_2_00007FFC8DFB9B7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5BBB	101_2_00007FFC8DFB5BBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB53DD	101_2_00007FFC8DFB53DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB6C6B	101_2_00007FFC8DFB6C6B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBA46D	101_2_00007FFC8DFBA46D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBA88D	101_2_00007FFC8DFBA88D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBC0BB	101_2_00007FFC8DFBC0BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB78E9	101_2_00007FFC8DFB78E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBD93D	101_2_00007FFC8DFBD93D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAE167	101_2_00007FFC8DFAE167
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA6199	101_2_00007FFC8DFA6199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA198C	101_2_00007FFC8DFA198C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB71BD	101_2_00007FFC8DFB71BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA31E0	101_2_00007FFC8DFA31E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8E223285	101_2_00007FFC8E223285
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8E22FD6D	101_2_00007FFC8E22FD6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC01218	107_2_00007FFC8DC01218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC164A9	107_2_00007FFC8DC164A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC0C750	107_2_00007FFC8DC0C750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE68C9D	107_2_00007FFC8DE68C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE60E0D	107_2_00007FFC8DE60E0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE777CF	107_2_00007FFC8DE777CF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE606F8	107_2_00007FFC8DE606F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE629EE	107_2_00007FFC8DE629EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE619B4	107_2_00007FFC8DE619B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE64C40	107_2_00007FFC8DE64C40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE712ED	107_2_00007FFC8DE712ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE76AD5	107_2_00007FFC8DE76AD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFACF34	107_2_00007FFC8DFACF34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA2F49	107_2_00007FFC8DFA2F49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAEF62	107_2_00007FFC8DFAEF62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAFFCD	107_2_00007FFC8DFAFFCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA000A	107_2_00007FFC8DFA000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB0D9F	107_2_00007FFC8DFB0D9F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB0DC0	107_2_00007FFC8DFB0DC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA9E5C	107_2_00007FFC8DFA9E5C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB1671	107_2_00007FFC8DFB1671
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA82ED	107_2_00007FFC8DFA82ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA7B78	107_2_00007FFC8DFA7B78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAB3E9	107_2_00007FFC8DFAB3E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA9459	107_2_00007FFC8DFA9459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA70C1	107_2_00007FFC8DFA70C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E228346	107_2_00007FFC8E228346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E22A118	107_2_00007FFC8E22A118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E224E6E	107_2_00007FFC8E224E6E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E6CCF10	107_2_00007FFC8E6CCF10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E6CADC2	107_2_00007FFC8E6CADC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC11218	108_2_00007FFC8DC11218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC11030	108_2_00007FFC8DC11030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC10FE0	108_2_00007FFC8DC10FE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC38A08	108_2_00007FFC8DC38A08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE72E08	108_2_00007FFC8DE72E08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE790EA	108_2_00007FFC8DE790EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE7130F	108_2_00007FFC8DE7130F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE722A1	108_2_00007FFC8DE722A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6E8A	108_2_00007FFC8E0A6E8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C969D	108_2_00007FFC8E0C969D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB69D	108_2_00007FFC8E0CB69D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A56DD	108_2_00007FFC8E0A56DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8709	108_2_00007FFC8E0A8709
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C9F1D	108_2_00007FFC8E0C9F1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CA71D	108_2_00007FFC8E0CA71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CAF1D	108_2_00007FFC8E0CAF1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8F55	108_2_00007FFC8E0A8F55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A977B	108_2_00007FFC8E0A977B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5F8D	108_2_00007FFC8E0A5F8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A678B	108_2_00007FFC8E0A678B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A77AD	108_2_00007FFC8E0A77AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CDF9D	108_2_00007FFC8E0CDF9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A9FCD	108_2_00007FFC8E0A9FCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CD875	108_2_00007FFC8E0CD875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A706D	108_2_00007FFC8E0A706D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D086D	108_2_00007FFC8E0D086D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE85D	108_2_00007FFC8E0CE85D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6CBB	108_2_00007FFC8E0A6CBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8D0D	108_2_00007FFC8E0A8D0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CBD3A	108_2_00007FFC8E0CBD3A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D052D	108_2_00007FFC8E0D052D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A754B	108_2_00007FFC8E0A754B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A1D6D	108_2_00007FFC8E0A1D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8D65	108_2_00007FFC8E0A8D65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE55D	108_2_00007FFC8E0CE55D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5DAD	108_2_00007FFC8E0A5DAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A965B	108_2_00007FFC8E0A965B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CFE49	108_2_00007FFC8E0CFE49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CEE5D	108_2_00007FFC8E0CEE5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8A9A	108_2_00007FFC8E0A8A9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CFAA9	108_2_00007FFC8E0CFAA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5AAB	108_2_00007FFC8E0A5AAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE29D	108_2_00007FFC8E0CE29D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A72CD	108_2_00007FFC8E0A72CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0AA2DD	108_2_00007FFC8E0AA2DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB32D	108_2_00007FFC8E0CB32D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6327	108_2_00007FFC8E0A6327
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CEB5D	108_2_00007FFC8E0CEB5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CF35D	108_2_00007FFC8E0CF35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A9BDD	108_2_00007FFC8E0A9BDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C93DD	108_2_00007FFC8E0C93DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB3DD	108_2_00007FFC8E0CB3DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CD400	108_2_00007FFC8E0CD400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C9C1D	108_2_00007FFC8E0C9C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CDC69	108_2_00007FFC8E0CDC69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CA45D	108_2_00007FFC8E0CA45D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CAC5D	108_2_00007FFC8E0CAC5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C98DC	108_2_00007FFC8E0C98DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A810D	108_2_00007FFC8E0A810D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C910D	108_2_00007FFC8E0C910D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB91D	108_2_00007FFC8E0CB91D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CF11D	108_2_00007FFC8E0CF11D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A897B	108_2_00007FFC8E0A897B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A597B	108_2_00007FFC8E0A597B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CC169	108_2_00007FFC8E0CC169
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CC95D	108_2_00007FFC8E0CC95D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A999D	108_2_00007FFC8E0A999D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB19D	108_2_00007FFC8E0CB19D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A69A2	108_2_00007FFC8E0A69A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A91BD	108_2_00007FFC8E0A91BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D01E5	108_2_00007FFC8E0D01E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E396DBC	108_2_00007FFC8E396DBC

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2

Yara signature match

Source: sslproxydump.pcap, type: PCAP	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal88.troj.evad.win@392/76@17/8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2023482335

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrbkcefh.vod.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,6736107539285705423,13982408961378088410,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://get.activated.win"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Subscription_is_activated"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Windows"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':wpatest\:.*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "0x800410 0x800440 0x80131501"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' \| Select-Object -Property Description"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "KMS_"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo Ready "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Ready"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' \| Format-List \| Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "Windows"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Office"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' \| Select-Object -ExpandProperty InstallLocation)" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' \| Select-Object -ExpandProperty InstallLocation)"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query ClickToRunSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query OfficeSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Wow6432Node"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul \| findstr /i "Retail Volume"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "Retail Volume"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i " ProPlus2019Retail.16 "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /I " ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /I "ProPlus2019Retail"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "O365"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "2024"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -AccessRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ExcelRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -O365BusinessRetail-O365EduCloudRetail-O365HomePremRetail-O365ProPlusRetail-O365SmallBusPremRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [Bypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -OneNoteRetail-OneNote2021Retail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -OutlookRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -PowerPointRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectProRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectStdRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProPlusRetail-ProfessionalPipcRetail-ProfessionalRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -PublisherRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -SkypeforBusinessRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -StandardRetail-HomeBusinessPipcRetail-HomeBusinessRetail-HomeStudentARMRetail-HomeStudentPlusARMRetail-HomeStudentRetail-HomeStudentVNextRetail-PersonalPipcRetail-PersonalRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -VisioProRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -VisioStdRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,6736107539285705423,13982408961378088410,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\fltMC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\fltMC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\fltMC.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\fltMC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: \Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000006C.00000002.2045404315.000002C532DA5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [vo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.Defi
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [vo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(6, 1).DefineDynamicModule(4).DefineType(2)[void]$DM.DefinePInvokeMethod('ClipGetSubscriptionStatus', 'Clipc.dll', 22, 1, [Int32], @([IntPtr].MakeByRefType()), 1, 3).SetImplementa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatStri

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC17568 push edx; retf	38_2_00007FFC8DC1756B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE759E1 push es; retf	38_2_00007FFC8DE75A37
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE7594B pushfd ; retf	38_2_00007FFC8DE759A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE78137 push ebx; ret	38_2_00007FFC8DE7813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE65080 push esp; iretd	38_2_00007FFC8DE655E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE3391 push edi; retf	38_2_00007FFC8DFE33A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E226FD7 push ebp; iretd	38_2_00007FFC8E226FD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E3732F2 push esp; retf	38_2_00007FFC8E3732F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E3734B6 push esp; iretd	38_2_00007FFC8E3734B7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E375474 push esp; iretd	38_2_00007FFC8E375475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA17C4 push cs; ret	93_2_00007FFC8DEA17CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA59CD push ds; retf	93_2_00007FFC8DEA5A1F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E243AEB push esp; iretd	93_2_00007FFC8E243AEC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E2474A8 push 8B48FFA2h; iretd	93_2_00007FFC8E2474B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E244319 push cs; iretd	93_2_00007FFC8E24435F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E244302 push ebp; iretd	93_2_00007FFC8E244318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC0616A pushad ; ret	101_2_00007FFC8DC061DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC073A8 push eax; retf 5F58h	101_2_00007FFC8DC08B5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68E8D pushfd ; ret	101_2_00007FFC8DE68FF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64E25 pushfd ; ret	101_2_00007FFC8DE64E26
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64DC5 pushfd ; ret	101_2_00007FFC8DE64DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE69971 pushfd ; ret	101_2_00007FFC8DE69973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64D65 pushfd ; ret	101_2_00007FFC8DE64D66
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68134 push ebx; ret	101_2_00007FFC8DE6813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE678FC push ebx; retf	101_2_00007FFC8DE6793A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64D05 pushfd ; ret	101_2_00007FFC8DE64D06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE684DD push esi; iretd	101_2_00007FFC8DE68657
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE644B8 pushfd ; ret	101_2_00007FFC8DE644B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64CA5 pushfd ; ret	101_2_00007FFC8DE64CA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68FF2 pushfd ; ret	101_2_00007FFC8DE69042
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE727A4 push FFFFFFE8h; retf	101_2_00007FFC8DE727C1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query Null

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 93_2_00007FFC8E008C4D sldt word ptr [eax]

93_2_00007FFC8E008C4D

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899553

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1696	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8180	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 858	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 990	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4079	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1578	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2252	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 519
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1800
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 623
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1043
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3317
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 997
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7198
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2913
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5768

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7176	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 990 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 4079 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624	Thread sleep count: 1578 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep count: 2252 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036	Thread sleep count: 519 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036	Thread sleep count: 1800 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 623 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952	Thread sleep count: 1382 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952	Thread sleep count: 3108 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 1290 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 2638 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep count: 1043 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep count: 1890 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904	Thread sleep count: 884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904	Thread sleep count: 1512 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 1172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 3317 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 997 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 1639 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1968	Thread sleep count: 2615 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3700	Thread sleep count: 7198 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640	Thread sleep count: 2913 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep count: 5768 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899888s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899776s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899665s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899553s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CreationClassName FROM Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_00007FFC8DC04838 GetSystemInfo,

38_2_00007FFC8DC04838

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899553

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 0000006C.00000002.2049607815.000002C5330E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnr!
Source: powershell.exe, 0000006C.00000002.2049607815.000002C532FD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4916.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt, type: DROPPED

Passes commands via pipe to a shell (likely to bypass AV or HIPS)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); $t.definepinvokemethod('getstdhandle', 'kernel32.dll', 22, 1, [intptr], @([int32]), 1, 3).setimplementationflags(128); $t.definepinvokemethod('setconsolemode', 'kernel32.dll', 22, 1, [boolean], @([intptr], [int32]), 1, 3).setimplementationflags(128); $k=$t.createtype(); $b=$k::setconsolemode($k::getstdhandle(-10), 0x0080); & cmd.exe '/c' '"""c:\windows\temp\mas_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$netserv = (new-object security.principal.securityidentifier('s-1-5-20')).translate([security.principal.ntaccount]).value; $aclstring = get-acl 'registry::hku\s-1-5-20\software\microsoft\windows nt\currentversion\softwareprotectionplatform\policies' \| format-list \| out-string; if (-not ($aclstring.contains($netserv + ' allow fullcontrol') -or $aclstring.contains('nt service\sppsvc allow fullcontrol')) -or ($aclstring.contains('deny'))) {exit 3}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); $t.definepinvokemethod('getstdhandle', 'kernel32.dll', 22, 1, [intptr], @([int32]), 1, 3).setimplementationflags(128); $t.definepinvokemethod('setconsolemode', 'kernel32.dll', 22, 1, [boolean], @([intptr], [int32]), 1, 3).setimplementationflags(128); $k=$t.createtype(); $b=$k::setconsolemode($k::getstdhandle(-10), 0x0080); & cmd.exe '/c' '"""c:\windows\temp\mas_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Activities.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	unknown	United States	15169	GOOGLEUS	false
199.7.83.42	l.root-servers.net	United States	20144	L-ROOTUS	true
13.107.42.20	dev.azure.com	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.24.156	get.activated.win	United States	13335	CLOUDFLARENETUS	true
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
127.0.0.1

Contacted Domains

Name	IP	Active
get.activated.win	104.21.24.156	true
a.nel.cloudflare.com	35.190.80.1	true
activated.win	104.21.24.156	true
kmsname.aaaacdn.net	172.190.68.176	true
www.google.com	142.250.184.228	true
l.root-servers.net	199.7.83.42	true
win.xdym11235.com	162.14.106.167	true
dev.azure.com	13.107.42.20	true
updatecheck30.activated.win	104.21.24.156	true
kms.idina.cn	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dev.azure.com/massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&versionType=Commit&version=60c99742ce9ff1c675c6e381e17b0f4ccf1a57bd	false
https://get.activated.win/	false
https://a.nel.cloudflare.com/report/v4?s=1RyhcZpZ3Yj1efZy8YoRNXZOnRbXJKXAO%2BQGQmrTdnWj0%2FErJDN75bPCb84DH%2BbiP2RETAe8aNJgHHeHDcJMw5%2F1dIfwfwnD0jSoAPyQXV801GYjRkprqM%2FCgD8ah10HzzmePg%3D%3D	false

Source: https://get.activated.win/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.42.20:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.17:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49758 version: TLS 1.2

Source:

Binary string: \Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000006C.00000002.2045404315.000002C532DA5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.17:49742 -> 104.21.24.156:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.17:49743 -> 13.107.42.20:443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: get.activated.winConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&versionType=Commit&version=60c99742ce9ff1c675c6e381e17b0f4ccf1a57bd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dev.azure.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: get.activated.win
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: dev.azure.com
Source: global traffic	DNS traffic detected: DNS query: activated.win
Source: global traffic	DNS traffic detected: DNS query: updatecheck30.activated.win
Source: global traffic	DNS traffic detected: DNS query: l.root-servers.net
Source: global traffic	DNS traffic detected: DNS query: kms.idina.cn

Source: unknown

Source: powershell.exe, 0000006B.00000002.1977590153.000001E3D8FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000003D.00000002.1587806431.000001FEE8484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft:
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/advqtdv6t35gmqvdg3dzxo4krmzq_117.0.5938.149/117.0.5
Source: svchost.exe, 0000000C.00000003.3883117966.000002093D060000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1733777446.000002093CE52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0/ni
Source: svchost.exe, 0000000C.00000003.3883117966.000002093D060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/pkap37pjanhqytozbeza7qsifm_2025.2.21.0
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000026.00000002.1501813713.0000021580097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F7395C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AAB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000026.00000002.1501813713.0000021580043000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80022000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F73956F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AAD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000026.00000002.1501813713.0000021580070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE80070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000005D.00000002.1798610708.000001F73959E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000065.00000002.1874610200.000002C698C30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DAB6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006C.00000002.1979149182.000002C51AB1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.1202932935.000002093CE50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000026.00000002.1501813713.0000021580850000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.1573394294.000001FE8084C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000006B.00000002.1979428535.000001E3DB0EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000065.00000002.1891852766.000002C6B1131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: sc.exe, 00000015.00000002.1458533116.000001C4F09F0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000019.00000002.1463704949.0000027B9F450000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000021.00000002.1468129194.0000017CAABF4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000023.00000002.1486766779.0000022081564000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487386546.0000021B63D64000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487386546.0000021B63D60000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 00000025.00000002.1487457902.0000021B63D87000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1507870884.00000215FC0E4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506499292.00000215FA674000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.1506646336.00000215FA75C000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000027.00000002.1519764459.0000025E7D804000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1544203409.00000208AA7A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1544034671.00000208AA7A3000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000002A.00000002.1534738680.000001AF55CA0000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000002A.00000002.1534738680.000001AF55CA4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000002B.00000002.1535752362.0000022AABD54000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000002E.00000002.1539179374.000001F6719D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/
Source: WMIC.exe, 00000061.00000003.1838480469.000001F850B07000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000061.00000002.1841556404.000001F850B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/&A
Source: powershell.exe, 0000005D.00000002.1796274439.000001F7378B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/3
Source: powershell.exe, 0000005D.00000002.1814068870.000001F7519A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/B
Source: powershell.exe, 0000005D.00000002.1796274439.000001F7378B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/L
Source: mode.com, 0000004B.00000002.1699016420.000001E255FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/P
Source: powershell.exe, 00000065.00000002.1872009657.000002C697288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/Z
Source: powershell.exe, 00000065.00000002.1872009657.000002C697199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/a
Source: powershell.exe, 0000006C.00000002.1972663568.000002C518C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/b
Source: cmd.exe, 00000029.00000003.2311939104.00000208AA791000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/evaluation_editions
Source: cmd.exe, 00000029.00000003.4625774536.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/genuine-installation-media
Source: powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/l
Source: cmd.exe, 00000029.00000003.4562628105.00000208AA81B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4626651293.00000208AA81B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4343870946.00000208AA815000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver2
Source: find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.
Source: fltMC.exe, 0000003C.00000002.1559689553.00000237F5458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0
Source: find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0NUMBER_OF_PROCESSORS=4OneDrive=C
Source: sc.exe, 00000015.00000002.1458489938.000001C4F06A0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458696595.000001AC4F7C0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000016.00000002.1458793067.000001AC4FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0NUMBER_OF_PROCESSORS=4OneDrive=C:
Source: cmd.exe, 00000029.00000003.4235237787.00000208AA826000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4238711433.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4236309430.00000208AA824000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4241695861.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4240398721.00000208AA825000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4233813555.00000208AA826000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4270591052.00000208AA825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0max_servers=15
Source: cmd.exe, 00000029.00000003.5005548559.00000208AA817000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4267451683.00000208AAE84000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4430528966.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4704191762.00000208AB164000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4750162857.00000208AB178000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4456293363.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4185072991.00000208AA820000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4239833660.00000208AA83F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4317101175.00000208AA816000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4940774663.00000208AB17C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4267451683.00000208AAE70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4455643661.00000208AAEF2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4248781313.00000208AAE7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4454355315.00000208AAEF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4726181959.00000208AA81A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4309128240.00000208AAE70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4426697928.00000208AB154000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4669884095.00000208AB17D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4924596457.00000208AA817000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4238711433.00000208AA819000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4701753736.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0max_servers=15n=16nceline=echo:
Source: cmd.exe, 00000029.00000003.1609605560.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609508154.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609146146.00000208AA797000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609985428.00000208AA79A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1609332722.00000208AA79B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0ncel
Source: cmd.exe, 00000029.00000003.1543237491.00000208AA78B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2464459170.00000208AAE86000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1920320452.00000208AA83E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1858660273.00000208AA828000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311594532.00000208AA842000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1762161702.00000208AAE61000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1693629331.00000208AA78F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1780652612.00000208AA845000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1858206663.00000208AA840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2286026355.00000208AA793000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2329080243.00000208AA791000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.3076997949.00000208AAE5A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2190815156.00000208AA83C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1546438405.00000208AA7C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1693833875.00000208AA795000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1767224366.00000208AAE8C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.1546258012.00000208AA7AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2741571330.00000208AAE51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.4264596942.00000208AA792000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2179414834.00000208AA843000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2253569955.00000208AA846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0nceline=echo:
Source: reg.exe, 00000019.00000002.1463704949.0000027B9F454000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000019.00000002.1463754951.0000027B9F480000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464392418.0000021184FA0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001A.00000002.1464646812.0000021185100000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465480653.0000023A0F590000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001C.00000002.1465412885.0000023A0F2C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/masver=3.0nul=
Source: powershell.exe, 0000006B.00000002.1973214575.000001E3D8D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/ps
Source: cmd.exe, 00000029.00000003.2262511390.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2286026355.00000208AA7AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2284187425.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/remove_malware
Source: cmd.exe, 00000029.00000003.2287599471.00000208AA7AF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2262511390.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2327442500.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2311939104.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.2284187425.00000208AA7AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/remove_malwareg
Source: powershell.exe, 0000006B.00000002.1979428535.000001E3DAFA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/tr
Source: powershell.exe, 0000006B.00000002.1978998781.000001E3DA930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/troubleshoot
Source: mode.com, 00000049.00000002.1616212134.000001F1A3218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/x
Source: powershell.exe, 00000026.00000002.1506646336.00000215FA6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://massgrave.dev/~

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.156:443 -> 192.168.2.17:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.42.20:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.17:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.17:49758 version: TLS 1.2

Too many similar processes found

Source: find.exe	Process created: 41
Source: reg.exe	Process created: 78
Source: cmd.exe	Process created: 111

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd, type: DROPPED	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 24%

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3408_1573354867			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir3408_1573354867

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC01E75	38_2_00007FFC8DC01E75
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC01218	38_2_00007FFC8DC01218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC0D9BD	38_2_00007FFC8DC0D9BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC1609D	38_2_00007FFC8DC1609D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC176DC	38_2_00007FFC8DC176DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC160E5	38_2_00007FFC8DC160E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC18306	38_2_00007FFC8DC18306
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE73D6D	38_2_00007FFC8DE73D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE6149E	38_2_00007FFC8DE6149E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE6F1AA	38_2_00007FFC8DE6F1AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFF67D	38_2_00007FFC8DFFF67D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000ECD	38_2_00007FFC8E000ECD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFFF05	38_2_00007FFC8DFFFF05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF16FD	38_2_00007FFC8DFF16FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8F20	38_2_00007FFC8DFF8F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB72D	38_2_00007FFC8DFFB72D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000745	38_2_00007FFC8E000745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF279D	38_2_00007FFC8DFF279D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9FAD	38_2_00007FFC8DFF9FAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E0017D0	38_2_00007FFC8E0017D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEB80D	38_2_00007FFC8DFEB80D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8021	38_2_00007FFC8DFF8021
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA82D	38_2_00007FFC8DFFA82D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFAC8B	38_2_00007FFC8DFFAC8B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB4B4	38_2_00007FFC8DFFB4B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC4C0	38_2_00007FFC8DFFC4C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8CEB	38_2_00007FFC8DFF8CEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E0024EB	38_2_00007FFC8E0024EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFADA4	38_2_00007FFC8DFFADA4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF95CB	38_2_00007FFC8DFF95CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFD5BD	38_2_00007FFC8DFFD5BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE55F9	38_2_00007FFC8DFE55F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC5ED	38_2_00007FFC8DFFC5ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF861D	38_2_00007FFC8DFF861D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF2E5D	38_2_00007FFC8DFF2E5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF4A8D	38_2_00007FFC8DFF4A8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF029D	38_2_00007FFC8DFF029D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE2ED	38_2_00007FFC8DFFE2ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEA319	38_2_00007FFC8DFEA319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEE328	38_2_00007FFC8DFEE328
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE4B39	38_2_00007FFC8DFE4B39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE34B	38_2_00007FFC8DFFE34B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB33D	38_2_00007FFC8DFFB33D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF835D	38_2_00007FFC8DFF835D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9B7B	38_2_00007FFC8DFF9B7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEDB71	38_2_00007FFC8DFEDB71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFECB7D	38_2_00007FFC8DFECB7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB39B	38_2_00007FFC8DFFB39B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA3B9	38_2_00007FFC8DFFA3B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE73DD	38_2_00007FFC8DFE73DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF6406	38_2_00007FFC8DFF6406
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE6C29	38_2_00007FFC8DFE6C29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF7C1D	38_2_00007FFC8DFF7C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF9C5E	38_2_00007FFC8DFF9C5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E001C5D	38_2_00007FFC8E001C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFE08A	38_2_00007FFC8DFFE08A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEB8A9	38_2_00007FFC8DFEB8A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE90CD	38_2_00007FFC8DFE90CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFD8DD	38_2_00007FFC8DFFD8DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF891B	38_2_00007FFC8DFF891B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E003919	38_2_00007FFC8E003919
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E000928	38_2_00007FFC8E000928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFC91D	38_2_00007FFC8DFFC91D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF995B	38_2_00007FFC8DFF995B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA9A1	38_2_00007FFC8DFFA9A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF099D	38_2_00007FFC8DFF099D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFB9ED	38_2_00007FFC8DFFB9ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFF235	38_2_00007FFC8DFFF235
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFF8A34	38_2_00007FFC8DFF8A34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE7A59	38_2_00007FFC8DFE7A59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFFA268	38_2_00007FFC8DFFA268
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E2186C8	38_2_00007FFC8E2186C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE00C1	38_2_00007FFC8DFE00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFEED31	38_2_00007FFC8DFEED31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DC31348	93_2_00007FFC8DC31348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DC30CCA	93_2_00007FFC8DC30CCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DE91FDE	93_2_00007FFC8DE91FDE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DE906B8	93_2_00007FFC8DE906B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA92ED	93_2_00007FFC8DEA92ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DF313C3	93_2_00007FFC8DF313C3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0114CE	93_2_00007FFC8E0114CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFCE85	93_2_00007FFC8DFFCE85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFBE94	93_2_00007FFC8DFFBE94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1E90	93_2_00007FFC8DFF1E90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFA6B9	93_2_00007FFC8DFFA6B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00A71D	93_2_00007FFC8E00A71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007730	93_2_00007FFC8E007730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005F70	93_2_00007FFC8E005F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E012790	93_2_00007FFC8E012790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00E795	93_2_00007FFC8E00E795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00AFDA	93_2_00007FFC8E00AFDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00081B	93_2_00007FFC8E00081B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00681B	93_2_00007FFC8E00681B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE031	93_2_00007FFC8DFFE031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007075	93_2_00007FFC8E007075
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00648B	93_2_00007FFC8E00648B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005490	93_2_00007FFC8E005490
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFFCCD	93_2_00007FFC8DFFFCCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1D1D	93_2_00007FFC8DFF1D1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE567	93_2_00007FFC8DFFE567
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00CD67	93_2_00007FFC8E00CD67
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFED89	93_2_00007FFC8DFFED89
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFED9C	93_2_00007FFC8DFFED9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E005E61	93_2_00007FFC8E005E61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE339	93_2_00007FFC8DFFE339
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF332F	93_2_00007FFC8DFF332F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00733D	93_2_00007FFC8E00733D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E000B95	93_2_00007FFC8E000B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E007BAB	93_2_00007FFC8E007BAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFA3A5	93_2_00007FFC8DFFA3A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF1BA2	93_2_00007FFC8DFF1BA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00EC4D	93_2_00007FFC8E00EC4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00FC55	93_2_00007FFC8E00FC55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF0889	93_2_00007FFC8DFF0889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0010A4	93_2_00007FFC8E0010A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00C8DB	93_2_00007FFC8E00C8DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF90D9	93_2_00007FFC8DFF90D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0080CB	93_2_00007FFC8E0080CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0108CB	93_2_00007FFC8E0108CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFF30EE	93_2_00007FFC8DFF30EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00592B	93_2_00007FFC8E00592B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFE174	93_2_00007FFC8DFFE174
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E00E190	93_2_00007FFC8E00E190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DFFD1B4	93_2_00007FFC8DFFD1B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E0099C1	93_2_00007FFC8E0099C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E25367B	93_2_00007FFC8E25367B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E253478	93_2_00007FFC8E253478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC01348	101_2_00007FFC8DC01348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC00CCA	101_2_00007FFC8DC00CCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC0C498	101_2_00007FFC8DC0C498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE61999	101_2_00007FFC8DE61999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE60560	101_2_00007FFC8DE60560
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFC1C20	101_2_00007FFC8DFC1C20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA5E85	101_2_00007FFC8DFA5E85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD687	101_2_00007FFC8DFAD687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD6A3	101_2_00007FFC8DFAD6A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBEEB0	101_2_00007FFC8DFBEEB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAD6C3	101_2_00007FFC8DFAD6C3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA2EF2	101_2_00007FFC8DFA2EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFADF39	101_2_00007FFC8DFADF39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5FFB	101_2_00007FFC8DFB5FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA7069	101_2_00007FFC8DFA7069
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAF4DB	101_2_00007FFC8DFAF4DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA0CCF	101_2_00007FFC8DFA0CCF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBC547	101_2_00007FFC8DFBC547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB8548	101_2_00007FFC8DFB8548
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA6D55	101_2_00007FFC8DFA6D55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFACD68	101_2_00007FFC8DFACD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFADD74	101_2_00007FFC8DFADD74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB7DBB	101_2_00007FFC8DFB7DBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAC5B8	101_2_00007FFC8DFAC5B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAA5CE	101_2_00007FFC8DFAA5CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5631	101_2_00007FFC8DFB5631
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA7E6A	101_2_00007FFC8DFA7E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA0A8E	101_2_00007FFC8DFA0A8E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB92DD	101_2_00007FFC8DFB92DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB6311	101_2_00007FFC8DFB6311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB9B7D	101_2_00007FFC8DFB9B7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB5BBB	101_2_00007FFC8DFB5BBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB53DD	101_2_00007FFC8DFB53DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB6C6B	101_2_00007FFC8DFB6C6B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBA46D	101_2_00007FFC8DFBA46D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBA88D	101_2_00007FFC8DFBA88D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBC0BB	101_2_00007FFC8DFBC0BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB78E9	101_2_00007FFC8DFB78E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFBD93D	101_2_00007FFC8DFBD93D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFAE167	101_2_00007FFC8DFAE167
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA6199	101_2_00007FFC8DFA6199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA198C	101_2_00007FFC8DFA198C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFB71BD	101_2_00007FFC8DFB71BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DFA31E0	101_2_00007FFC8DFA31E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8E223285	101_2_00007FFC8E223285
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8E22FD6D	101_2_00007FFC8E22FD6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC01218	107_2_00007FFC8DC01218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC164A9	107_2_00007FFC8DC164A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DC0C750	107_2_00007FFC8DC0C750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE68C9D	107_2_00007FFC8DE68C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE60E0D	107_2_00007FFC8DE60E0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE777CF	107_2_00007FFC8DE777CF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE606F8	107_2_00007FFC8DE606F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE629EE	107_2_00007FFC8DE629EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE619B4	107_2_00007FFC8DE619B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE64C40	107_2_00007FFC8DE64C40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE712ED	107_2_00007FFC8DE712ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DE76AD5	107_2_00007FFC8DE76AD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFACF34	107_2_00007FFC8DFACF34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA2F49	107_2_00007FFC8DFA2F49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAEF62	107_2_00007FFC8DFAEF62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAFFCD	107_2_00007FFC8DFAFFCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA000A	107_2_00007FFC8DFA000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB0D9F	107_2_00007FFC8DFB0D9F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB0DC0	107_2_00007FFC8DFB0DC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA9E5C	107_2_00007FFC8DFA9E5C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFB1671	107_2_00007FFC8DFB1671
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA82ED	107_2_00007FFC8DFA82ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA7B78	107_2_00007FFC8DFA7B78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFAB3E9	107_2_00007FFC8DFAB3E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA9459	107_2_00007FFC8DFA9459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8DFA70C1	107_2_00007FFC8DFA70C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E228346	107_2_00007FFC8E228346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E22A118	107_2_00007FFC8E22A118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E224E6E	107_2_00007FFC8E224E6E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E6CCF10	107_2_00007FFC8E6CCF10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 107_2_00007FFC8E6CADC2	107_2_00007FFC8E6CADC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC11218	108_2_00007FFC8DC11218
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC11030	108_2_00007FFC8DC11030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC10FE0	108_2_00007FFC8DC10FE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DC38A08	108_2_00007FFC8DC38A08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE72E08	108_2_00007FFC8DE72E08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE790EA	108_2_00007FFC8DE790EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE7130F	108_2_00007FFC8DE7130F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8DE722A1	108_2_00007FFC8DE722A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6E8A	108_2_00007FFC8E0A6E8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C969D	108_2_00007FFC8E0C969D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB69D	108_2_00007FFC8E0CB69D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A56DD	108_2_00007FFC8E0A56DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8709	108_2_00007FFC8E0A8709
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C9F1D	108_2_00007FFC8E0C9F1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CA71D	108_2_00007FFC8E0CA71D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CAF1D	108_2_00007FFC8E0CAF1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8F55	108_2_00007FFC8E0A8F55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A977B	108_2_00007FFC8E0A977B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5F8D	108_2_00007FFC8E0A5F8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A678B	108_2_00007FFC8E0A678B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A77AD	108_2_00007FFC8E0A77AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CDF9D	108_2_00007FFC8E0CDF9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A9FCD	108_2_00007FFC8E0A9FCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CD875	108_2_00007FFC8E0CD875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A706D	108_2_00007FFC8E0A706D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D086D	108_2_00007FFC8E0D086D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE85D	108_2_00007FFC8E0CE85D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6CBB	108_2_00007FFC8E0A6CBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8D0D	108_2_00007FFC8E0A8D0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CBD3A	108_2_00007FFC8E0CBD3A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D052D	108_2_00007FFC8E0D052D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A754B	108_2_00007FFC8E0A754B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A1D6D	108_2_00007FFC8E0A1D6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8D65	108_2_00007FFC8E0A8D65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE55D	108_2_00007FFC8E0CE55D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5DAD	108_2_00007FFC8E0A5DAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A965B	108_2_00007FFC8E0A965B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CFE49	108_2_00007FFC8E0CFE49
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CEE5D	108_2_00007FFC8E0CEE5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A8A9A	108_2_00007FFC8E0A8A9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CFAA9	108_2_00007FFC8E0CFAA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A5AAB	108_2_00007FFC8E0A5AAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CE29D	108_2_00007FFC8E0CE29D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A72CD	108_2_00007FFC8E0A72CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0AA2DD	108_2_00007FFC8E0AA2DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB32D	108_2_00007FFC8E0CB32D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A6327	108_2_00007FFC8E0A6327
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CEB5D	108_2_00007FFC8E0CEB5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CF35D	108_2_00007FFC8E0CF35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A9BDD	108_2_00007FFC8E0A9BDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C93DD	108_2_00007FFC8E0C93DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB3DD	108_2_00007FFC8E0CB3DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CD400	108_2_00007FFC8E0CD400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C9C1D	108_2_00007FFC8E0C9C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CDC69	108_2_00007FFC8E0CDC69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CA45D	108_2_00007FFC8E0CA45D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CAC5D	108_2_00007FFC8E0CAC5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C98DC	108_2_00007FFC8E0C98DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A810D	108_2_00007FFC8E0A810D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0C910D	108_2_00007FFC8E0C910D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB91D	108_2_00007FFC8E0CB91D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CF11D	108_2_00007FFC8E0CF11D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A897B	108_2_00007FFC8E0A897B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A597B	108_2_00007FFC8E0A597B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CC169	108_2_00007FFC8E0CC169
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CC95D	108_2_00007FFC8E0CC95D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A999D	108_2_00007FFC8E0A999D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0CB19D	108_2_00007FFC8E0CB19D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A69A2	108_2_00007FFC8E0A69A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0A91BD	108_2_00007FFC8E0A91BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E0D01E5	108_2_00007FFC8E0D01E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 108_2_00007FFC8E396DBC	108_2_00007FFC8E396DBC

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2

Yara signature match

Source: sslproxydump.pcap, type: PCAP	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal88.troj.evad.win@392/76@17/8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2023482335

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrbkcefh.vod.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,6736107539285705423,13982408961378088410,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://get.activated.win"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Subscription_is_activated"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Windows"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start Winmgmt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':wpatest\:.*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND LicenseDependsOn is NULL AND PartialProductKey IS NOT NULL) get LicenseFamily /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "0x800410 0x800440 0x80131501"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "Get-WmiObject -Query 'SELECT Description FROM SoftwareLicensingProduct WHERE PartialProductKey IS NOT NULL AND LicenseDependsOn IS NULL' \| Select-Object -Property Description"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "KMS_"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo Ready "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Ready"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' \| Format-List \| Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "Windows"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\14.0\CVH /f Click2run /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "Get-AppxPackage -name "Microsoft.MicrosoftOfficeHub""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Office"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' \| Select-Object -ExpandProperty InstallLocation)" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-AppxPackage -name 'Microsoft.Office.Desktop' \| Select-Object -ExpandProperty InstallLocation)"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query ClickToRunSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query OfficeSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663') get ID /VALUE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v Platform
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v VersionToReport
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v AudienceData
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "HKLM\SOFTWARE\Microsoft\Office\ClickToRun" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "Wow6432Node"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k 2>nul \| findstr /i "Retail Volume"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs" /s /f ".16" /k
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "Retail Volume"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i " ProPlus2019Retail.16 "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /I " ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /I "ProPlus2019Retail"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i "O365"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo ProPlus2019Retail "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "2024"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -AccessRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ExcelRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -O365BusinessRetail-O365EduCloudRetail-O365HomePremRetail-O365ProPlusRetail-O365SmallBusPremRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [Bypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -OneNoteRetail-OneNote2021Retail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -OutlookRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -PowerPointRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectProRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProjectStdRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -ProPlusRetail-ProfessionalPipcRetail-ProfessionalRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -PublisherRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: [PrepidBypass] "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -SkypeforBusinessRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -StandardRetail-HomeBusinessPipcRetail-HomeBusinessRetail-HomeStudentARMRetail-HomeStudentPlusARMRetail-HomeStudentRetail-HomeStudentVNextRetail-PersonalPipcRetail-PersonalRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -VisioProRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: -VisioStdRetail- "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo: "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "-ProPlus2019Retail-"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,6736107539285705423,13982408961378088410,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\fltMC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\fltMC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\fltMC.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\fltMC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: \Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000006C.00000002.2045404315.000002C532DA5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [vo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.Defi
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [vo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(6, 1).DefineDynamicModule(4).DefineType(2)[void]$DM.DefinePInvokeMethod('ClipGetSubscriptionStatus', 'Clipc.dll', 22, 1, [Int32], @([IntPtr].MakeByRefType()), 1, 3).SetImplementa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatStri

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' \| fl \| Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DC17568 push edx; retf	38_2_00007FFC8DC1756B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE759E1 push es; retf	38_2_00007FFC8DE75A37
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE7594B pushfd ; retf	38_2_00007FFC8DE759A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE78137 push ebx; ret	38_2_00007FFC8DE7813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DE65080 push esp; iretd	38_2_00007FFC8DE655E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8DFE3391 push edi; retf	38_2_00007FFC8DFE33A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E226FD7 push ebp; iretd	38_2_00007FFC8E226FD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E3732F2 push esp; retf	38_2_00007FFC8E3732F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E3734B6 push esp; iretd	38_2_00007FFC8E3734B7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 38_2_00007FFC8E375474 push esp; iretd	38_2_00007FFC8E375475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA17C4 push cs; ret	93_2_00007FFC8DEA17CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8DEA59CD push ds; retf	93_2_00007FFC8DEA5A1F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E243AEB push esp; iretd	93_2_00007FFC8E243AEC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E2474A8 push 8B48FFA2h; iretd	93_2_00007FFC8E2474B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E244319 push cs; iretd	93_2_00007FFC8E24435F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 93_2_00007FFC8E244302 push ebp; iretd	93_2_00007FFC8E244318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC0616A pushad ; ret	101_2_00007FFC8DC061DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DC073A8 push eax; retf 5F58h	101_2_00007FFC8DC08B5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68E8D pushfd ; ret	101_2_00007FFC8DE68FF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64E25 pushfd ; ret	101_2_00007FFC8DE64E26
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64DC5 pushfd ; ret	101_2_00007FFC8DE64DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE69971 pushfd ; ret	101_2_00007FFC8DE69973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64D65 pushfd ; ret	101_2_00007FFC8DE64D66
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68134 push ebx; ret	101_2_00007FFC8DE6813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE678FC push ebx; retf	101_2_00007FFC8DE6793A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64D05 pushfd ; ret	101_2_00007FFC8DE64D06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE684DD push esi; iretd	101_2_00007FFC8DE68657
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE644B8 pushfd ; ret	101_2_00007FFC8DE644B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE64CA5 pushfd ; ret	101_2_00007FFC8DE64CA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE68FF2 pushfd ; ret	101_2_00007FFC8DE69042
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 101_2_00007FFC8DE727A4 push FFFFFFE8h; retf	101_2_00007FFC8DE727C1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query Null

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 93_2_00007FFC8E008C4D sldt word ptr [eax]

93_2_00007FFC8E008C4D

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899553

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1696	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8180	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 858	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 990	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4079	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1578	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2252	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 519
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1800
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 623
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2638
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1043
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3317
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 997
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7198
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2913
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5768

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7176	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 990 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 4079 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624	Thread sleep count: 1578 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep count: 2252 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036	Thread sleep count: 519 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036	Thread sleep count: 1800 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 623 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952	Thread sleep count: 1382 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1952	Thread sleep count: 3108 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 1290 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 2638 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep count: 1043 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep count: 1890 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904	Thread sleep count: 884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904	Thread sleep count: 1512 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 1172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 3317 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 997 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 1639 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1968	Thread sleep count: 2615 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3700	Thread sleep count: 7198 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640	Thread sleep count: 2913 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep count: 5768 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899888s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899776s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899665s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -899553s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CreationClassName FROM Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 38_2_00007FFC8DC04838 GetSystemInfo,

38_2_00007FFC8DC04838

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899776
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899553

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 0000006C.00000002.2049607815.000002C5330E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnr!
Source: powershell.exe, 0000006C.00000002.2049607815.000002C532FD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4916.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt, type: DROPPED

Passes commands via pipe to a shell (likely to bypass AV or HIPS)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo CMD is working"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" -el -qedit"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query Null
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "RUNNING"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /v "$" "MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Console" /v ForceV2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "0x0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "ARM64"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c echo prompt $E \| cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "FullLanguage"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fltMC.exe fltmc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "True"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "/"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 34
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:123456789EH0 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 76, 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C:1234567890 /N
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 115, 32
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "AutoPico"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sppsvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "577 225"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "computersystem"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd') -split ':PStest:\s*';iex ($f[1])"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -4 -n 1 updatecheck30.activated.win
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get CreationClassName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 1 l.root-servers.net

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); $t.definepinvokemethod('getstdhandle', 'kernel32.dll', 22, 1, [intptr], @([int32]), 1, 3).setimplementationflags(128); $t.definepinvokemethod('setconsolemode', 'kernel32.dll', 22, 1, [boolean], @([intptr], [int32]), 1, 3).setimplementationflags(128); $k=$t.createtype(); $b=$k::setconsolemode($k::getstdhandle(-10), 0x0080); & cmd.exe '/c' '"""c:\windows\temp\mas_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$netserv = (new-object security.principal.securityidentifier('s-1-5-20')).translate([security.principal.ntaccount]).value; $aclstring = get-acl 'registry::hku\s-1-5-20\software\microsoft\windows nt\currentversion\softwareprotectionplatform\policies' \| format-list \| out-string; if (-not ($aclstring.contains($netserv + ' allow fullcontrol') -or $aclstring.contains('nt service\sppsvc allow fullcontrol')) -or ($aclstring.contains('deny'))) {exit 3}"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$t=[appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); $t.definepinvokemethod('getstdhandle', 'kernel32.dll', 22, 1, [intptr], @([int32]), 1, 3).setimplementationflags(128); $t.definepinvokemethod('setconsolemode', 'kernel32.dll', 22, 1, [boolean], @([intptr], [int32]), 1, 3).setimplementationflags(128); $k=$t.createtype(); $b=$k::setconsolemode($k::getstdhandle(-10), 0x0080); & cmd.exe '/c' '"""c:\windows\temp\mas_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd""" -el -qedit'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe "$tb = [appdomain]::currentdomain.definedynamicassembly(4, 1).definedynamicmodule(2, $false).definetype(0); [void]$tb.definepinvokemethod('getconsolewindow', 'kernel32.dll', 22, 1, [intptr], @(), 1, 3).setimplementationflags(128); [void]$tb.definepinvokemethod('sendmessagew', 'user32.dll', 22, 1, [intptr], @([intptr], [uint32], [intptr], [intptr]), 1, 3).setimplementationflags(128); $hicon = $tb.createtype(); $hwnd = $hicon::getconsolewindow(); echo $($hicon::sendmessagew($hwnd, 127, 0, 0) -ne [intptr]::zero);"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); [void]$typebuilder.definepinvokemethod('slgetwindowsinformationdword', 'slc.dll', 'public, static', 1, [int], @([string], [int].makebyreftype()), 1, 3); $sku = 0; [void]$typebuilder.createtype()::slgetwindowsinformationdword('kernel-brandinginfo', [ref]$sku); $sku
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $assemblybuilder = [appdomain]::currentdomain.definedynamicassembly(4, 1); $modulebuilder = $assemblybuilder.definedynamicmodule(2, $false); $typebuilder = $modulebuilder.definetype(0); $meth = $typebuilder.definepinvokemethod('brandingformatstring', 'winbrand.dll', 'public, static', 1, [string], @([string]), 1, 3); $meth.setimplementationflags(128); $typebuilder.createtype()::brandingformatstring('%windows_long%')

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Activities.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

ID:	1633112
Product:	CloudBasic
Start time:	21:30:26
Start date:	09.03.2025
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x69cb6b52, page size 16384, DirtyShutdown, Windows version 10.0	F6259D398E0EE3134585D9B022F66E1E	0ADE541E77BA08C1477252F0614BCB82DB9ABB3A	28DA0E8B2FC728F9717C83CE11E4118940AA030F41CD2C32502B4CDD1925F1FB
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	ED30A738A05A68D6AB27771BD846A7AA	6AFCE0F6E39A9A59FF54956E1461F09747B57B44	17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	062E249A050C667A94CE065B4C3827DC	FB9DCA27D32EE83CD14DBEE1C27276E42B4F75D7	59782BF5E31BD27ED64E3F6E99A8179949F7C942CAE83FEFBD50B57CF024BA7D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ppix5iq.nw2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ynhctmf.wmg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45n1rkbn.tpl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5321hjit.ebz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cifggvh3.np0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvhb4dha.s1j.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dy5quhdf.4gd.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyteiqht.gte.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnahw5f1.52d.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kghhnsjz.zv4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzhmuj45.bua.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrbkcefh.vod.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nby0mm4g.20c.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onauucnq.ns1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdoqrnn0.zi0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnj4onlp.s4k.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfskzz0o.eiw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtnzexpt.1xy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_srxak3yr.qcz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svdc1o43.k41.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjriwnip.sa1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyfarca0.evv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubshwmi2.3pj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgpz3fz3.vrk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt	ASCII text, with CRLF line terminators	754C50B318E07154F7CA1638E6944330	3A795BE6A0B5B69E49E7622CA5D2BC2F10C73BE4	5C310C49E484705D28A86155607BBB06694C52D1C7F9AAA96198B590E67BA247
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	6A06AC462CEC3C9C36131177E4092522	8607C3CDA270F968DE3AA2EEC481698755E1F38F	30E304B0CA43804CE30505FA6CEE0EA548C9EB24E581087966A4149C4D5BAC6B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TS4Q9C975XBJBKSA3NWX.temp	data	6A06AC462CEC3C9C36131177E4092522	8607C3CDA270F968DE3AA2EEC481698755E1F38F	30E304B0CA43804CE30505FA6CEE0EA548C9EB24E581087966A4149C4D5BAC6B
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\Temp\MAS_3c0affdc-4027-4a4a-bdad-10980fb3071c.cmd	ASCII text, with very long lines (348), with CRLF line terminators	AFFDE0A1870FDD468245C24C5E125E31	8591A8258BCEE1CC27214BFE1459D1A56D2C3054	E61F4D507B2B187C6F1F600F5C7B0D7A27592210B2D0BA3108B82479D436DEB0
Chrome Cache Entry: 143	Zstandard compressed data (v0.8+), Dictionary ID: None	6C1CDC065F0FC115E23617DD441BDAF8	6E13B2554F85F5B0437BB2A92DA2B831CD2401F8	8B52D1A28CC5F9155A8AC8C0B8F7632DBC0E2ADE7FE1D8BC498D15250C338CA4
Chrome Cache Entry: 144	Zstandard compressed data (v0.8+), Dictionary ID: None	E34B59FC8318E2D077F80699EAAA457E	ADAF8A1DE4D8F201BEDFDAE8C56F795E5323B6FB	86F4E1845276D8D40E44570071BFAB9E9D0557AB413C6A51FE2558D1F6866895
\Device\Null	ASCII text, with CRLF line terminators	3CD0B615E4E54547EE9664BC51A8B3B6	7EAFCCEBD488EFAB10489A1643408B33611DD4C1	BA9BD877360BE1118983013F01BB554E186D710AC1B14360BCE8CE51EB54C97B

Windows Analysis Report
https://get.activated.win

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://get.activated.win

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://get.activated.win