Windows Analysis Report
01_COVER_LETTER_-_FOR_E_PAYMENT.vbe

Overview

General Information

Sample name: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbe
Analysis ID: 1501321
MD5: 46a86b1e4d1136f04743b65d4c402b9f
SHA1: dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256: db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
Tags: Paymentvbe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Injects a PE file into a foreign processes
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbe ReversingLabs: Detection: 13%
Yara detected FormBook
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 144.91.79.54 80 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CONTABODE CONTABODE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/u9icZZB5Fm5owWojnw5Q.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/u9icZZB5Fm5owWojnw5Q.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/
Source: wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166376752.0000021317D42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/file
Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/file140B807A6BN
Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/file53C7849C57
Source: wscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/r
Source: wscript.exe, 00000000.00000003.2158218358.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166607159.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158078701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158910701.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168732062.0000021317750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166276434.00000213179D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158858187.000002131774C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/s
Source: wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/stem
Source: wscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157481785.0000021315A56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/u9icZZB5Fm5owWojnw5Q.txt
Source: wscript.exe, 00000000.00000003.2165519546.0000021315958000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2167970238.0000007E5A0F2000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166630724.0000021315959000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.000002131774C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167561687.0000021315AAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165501956.000002131774A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163830069.0000021315A96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2158967775.0000021317748000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167359857.0000021315AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163901569.0000021315AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/v
Source: wscript.exe, 00000000.00000003.2166395633.00000213179D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/v75
Source: wscript.exe, 00000000.00000003.2142682570.0000021315A72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/c
Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142958351.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142939052.0000021315A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149023769.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157529486.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157462766.0000021315A2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157545405.0000021315A35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2149037908.0000021315A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/ll
Source: wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54:80/2508/fileJb
Source: wscript.exe, 00000000.00000003.2165581468.0000021315A0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166759289.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2166051740.0000021315A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168457150.0000021315A16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167235585.0000021315A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54:80/2508/s
Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168475689.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.m

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5960.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5264.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2056.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_3780.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5256.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5368.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_6068.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_1596.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_4392.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_6780.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB19EC NtProtectVirtualMemory, 5_2_00DB19EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DDC4D3 NtClose, 5_2_00DDC4D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E35C0 NtCreateMutant,LdrInitializeThunk, 5_2_018E35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2B60 NtClose,LdrInitializeThunk, 5_2_018E2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_018E2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_018E2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E3090 NtSetValueKey, 5_2_018E3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E3010 NtOpenDirectoryObject, 5_2_018E3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E4340 NtSetContextThread, 5_2_018E4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E4650 NtSuspendThread, 5_2_018E4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E39B0 NtGetContextThread, 5_2_018E39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2B80 NtQueryInformationFile, 5_2_018E2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2BA0 NtEnumerateValueKey, 5_2_018E2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2BE0 NtQueryValueKey, 5_2_018E2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2BF0 NtAllocateVirtualMemory, 5_2_018E2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2AB0 NtWaitForSingleObject, 5_2_018E2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2AD0 NtReadFile, 5_2_018E2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2AF0 NtWriteFile, 5_2_018E2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2DB0 NtEnumerateKey, 5_2_018E2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2DD0 NtDelayExecution, 5_2_018E2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2D00 NtSetInformationFile, 5_2_018E2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E3D10 NtOpenProcessToken, 5_2_018E3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2D10 NtMapViewOfSection, 5_2_018E2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2D30 NtUnmapViewOfSection, 5_2_018E2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E3D70 NtOpenThread, 5_2_018E3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2CA0 NtQueryInformationToken, 5_2_018E2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2CC0 NtQueryVirtualMemory, 5_2_018E2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2CF0 NtOpenProcess, 5_2_018E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2C00 NtQueryInformationProcess, 5_2_018E2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2C60 NtCreateKey, 5_2_018E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2F90 NtProtectVirtualMemory, 5_2_018E2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2FA0 NtQuerySection, 5_2_018E2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2FB0 NtResumeThread, 5_2_018E2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2FE0 NtCreateFile, 5_2_018E2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2F30 NtCreateSection, 5_2_018E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2F60 NtCreateProcessEx, 5_2_018E2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2E80 NtReadVirtualMemory, 5_2_018E2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2EA0 NtAdjustPrivilegesToken, 5_2_018E2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2EE0 NtQueueApcThread, 5_2_018E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E2E30 NtWriteVirtualMemory, 5_2_018E2E30
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB31F0 5_2_00DB31F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB1210 5_2_00DB1210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DDEB33 5_2_00DDEB33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DBFC43 5_2_00DBFC43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DBFC40 5_2_00DBFC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC65DE 5_2_00DC65DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC65E3 5_2_00DC65E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB2520 5_2_00DB2520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DBDEE3 5_2_00DBDEE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DBFE63 5_2_00DBFE63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BB1B0 5_2_018BB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019701AA 5_2_019701AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019681CC 5_2_019681CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A0100 5_2_018A0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194A118 5_2_0194A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01938158 5_2_01938158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E516C 5_2_018E516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0197B16B 5_2_0197B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F0CC 5_2_0195F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196F0E0 5_2_0196F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019670E9 5_2_019670E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F739A 5_2_018F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019703E6 5_2_019703E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE3F0 5_2_018BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196132D 5_2_0196132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196A352 5_2_0196A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189D34C 5_2_0189D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B52A0 5_2_018B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01970591 5_2_01970591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194D5B0 5_2_0194D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01967571 5_2_01967571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195E4F6 5_2_0195E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196F43F 5_2_0196F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01962446 5_2_01962446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A1460 5_2_018A1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196F7B0 5_2_0196F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AC7C0 5_2_018AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D4750 5_2_018D4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0770 5_2_018B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019616CC 5_2_019616CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CC6E0 5_2_018CC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B29A0 5_2_018B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0197A9A6 5_2_0197A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B9950 5_2_018B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB950 5_2_018CB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C6962 5_2_018C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018968B8 5_2_018968B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B38E0 5_2_018B38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE8F0 5_2_018DE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D800 5_2_0191D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B2840 5_2_018B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BA840 5_2_018BA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CFB80 5_2_018CFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01966BD7 5_2_01966BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01925BF0 5_2_01925BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018EDBF9 5_2_018EDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196AB40 5_2_0196AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196FB76 5_2_0196FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AEA80 5_2_018AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F5AA0 5_2_018F5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194DAAC 5_2_0194DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195DAC6 5_2_0195DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01967A46 5_2_01967A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196FA49 5_2_0196FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01923A6C 5_2_01923A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C8DBF 5_2_018C8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CFDC0 5_2_018CFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AADE0 5_2_018AADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BAD00 5_2_018BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B3D40 5_2_018B3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01961D5A 5_2_01961D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01967D73 5_2_01967D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950CB5 5_2_01950CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196FCF2 5_2_0196FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A0CF2 5_2_018A0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0C00 5_2_018B0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01929C32 5_2_01929C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1F92 5_2_018B1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196FFB1 5_2_0196FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A2FC8 5_2_018A2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BCFE0 5_2_018BCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196FF09 5_2_0196FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F2F28 5_2_018F2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D0F30 5_2_018D0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01924F40 5_2_01924F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196CE93 5_2_0196CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C2E90 5_2_018C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B9EB0 5_2_018B9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196EEDB 5_2_0196EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196EE26 5_2_0196EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0E59 5_2_018B0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF600A 14_2_00DF600A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E36000 14_2_00E36000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DE0100 14_2_00DE0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E702C0 14_2_00E702C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF0535 14_2_00DF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0C6E0 14_2_00E0C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DEC7C0 14_2_00DEC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF0770 14_2_00DF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E14750 14_2_00E14750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E1E8F0 14_2_00E1E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DD68B8 14_2_00DD68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E28890 14_2_00E28890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF2840 14_2_00DF2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DFA840 14_2_00DFA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF29A0 14_2_00DF29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E06962 14_2_00E06962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DEEA80 14_2_00DEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DE0CF2 14_2_00DE0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF0C00 14_2_00DF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF8DC0 14_2_00DF8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DEADE0 14_2_00DEADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E08DBF 14_2_00E08DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DFED7A 14_2_00DFED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DFAD00 14_2_00DFAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E02E90 14_2_00E02E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF0E59 14_2_00DF0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DE2FC8 14_2_00DE2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E6EFA0 14_2_00E6EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E64F40 14_2_00E64F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E32F28 14_2_00E32F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E10F30 14_2_00E10F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DFB1B0 14_2_00DFB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E2516C 14_2_00E2516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DDF172 14_2_00DDF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0D2F0 14_2_00E0D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0B2C0 14_2_00E0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF52A0 14_2_00DF52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF33F3 14_2_00DF33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DDD34C 14_2_00DDD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E374E0 14_2_00E374E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF3497 14_2_00DF3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DE1460 14_2_00DE1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DFB730 14_2_00DFB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF38E0 14_2_00DF38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E5D800 14_2_00E5D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF5990 14_2_00DF5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF9950 14_2_00DF9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0B950 14_2_00E0B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E63A6C 14_2_00E63A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E65BF0 14_2_00E65BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E2DBF9 14_2_00E2DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0FB80 14_2_00E0FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E09C20 14_2_00E09C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E69C32 14_2_00E69C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E0FDC0 14_2_00E0FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF3D40 14_2_00DF3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF9EB0 14_2_00DF9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DF1F92 14_2_00DF1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01820100 19_2_01820100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01876000 19_2_01876000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018B02C0 19_2_018B02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01830535 19_2_01830535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0182C7C0 19_2_0182C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01854750 19_2_01854750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01830770 19_2_01830770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184C6E0 19_2_0184C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018329A0 19_2_018329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01846962 19_2_01846962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01868890 19_2_01868890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018168B8 19_2_018168B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0185E8F0 19_2_0185E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01832840 19_2_01832840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0183A840 19_2_0183A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0182EA80 19_2_0182EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01848DBF 19_2_01848DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01838DC0 19_2_01838DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0182ADE0 19_2_0182ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0183AD00 19_2_0183AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0183ED7A 19_2_0183ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01820CF2 19_2_01820CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01830C00 19_2_01830C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018AEFA0 19_2_018AEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01822FC8 19_2_01822FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01872F28 19_2_01872F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01850F30 19_2_01850F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018A4F40 19_2_018A4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01842E90 19_2_01842E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01830E59 19_2_01830E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0183B1B0 19_2_0183B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0186516C 19_2_0186516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0181F172 19_2_0181F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018333F3 19_2_018333F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0181D34C 19_2_0181D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018352A0 19_2_018352A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184B2C0 19_2_0184B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184D2F0 19_2_0184D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01833497 19_2_01833497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018774E0 19_2_018774E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01821460 19_2_01821460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0183B730 19_2_0183B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01835990 19_2_01835990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01839950 19_2_01839950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184B950 19_2_0184B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018338E0 19_2_018338E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0189D800 19_2_0189D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184FB80 19_2_0184FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018A5BF0 19_2_018A5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0186DBF9 19_2_0186DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018A3A6C 19_2_018A3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0184FDC0 19_2_0184FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01833D40 19_2_01833D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01849C20 19_2_01849C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018A9C32 19_2_018A9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01831F92 19_2_01831F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01839EB0 19_2_01839EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019E0100 23_2_019E0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A36000 23_2_01A36000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A702C0 23_2_01A702C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F0535 23_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019EC7C0 23_2_019EC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F0770 23_2_019F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A14750 23_2_01A14750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0C6E0 23_2_01A0C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F29A0 23_2_019F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A06962 23_2_01A06962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019D68B8 23_2_019D68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A28890 23_2_01A28890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A1E8F0 23_2_01A1E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F2840 23_2_019F2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019FA840 23_2_019FA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019EEA80 23_2_019EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A08DBF 23_2_01A08DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F8DC0 23_2_019F8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019EADE0 23_2_019EADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019FAD00 23_2_019FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019FED7A 23_2_019FED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019E0CF2 23_2_019E0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F0C00 23_2_019F0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A6EFA0 23_2_01A6EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019E2FC8 23_2_019E2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A32F28 23_2_01A32F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A10F30 23_2_01A10F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A64F40 23_2_01A64F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A02E90 23_2_01A02E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F0E59 23_2_019F0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019FB1B0 23_2_019FB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A2516C 23_2_01A2516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019DF172 23_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F33F3 23_2_019F33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019DD34C 23_2_019DD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F52A0 23_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0D2F0 23_2_01A0D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0B2C0 23_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F3497 23_2_019F3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A374E0 23_2_01A374E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019E1460 23_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019FB730 23_2_019FB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F5990 23_2_019F5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F9950 23_2_019F9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0B950 23_2_01A0B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F38E0 23_2_019F38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A5D800 23_2_01A5D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0FB80 23_2_01A0FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A65BF0 23_2_01A65BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A2DBF9 23_2_01A2DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A63A6C 23_2_01A63A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A0FDC0 23_2_01A0FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F3D40 23_2_019F3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A09C20 23_2_01A09C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A69C32 23_2_01A69C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F1F92 23_2_019F1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019F9EB0 23_2_019F9EB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0189B970 appears 268 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 01877E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00E5EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0189EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0191EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 018E5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 01A37E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 018F7E54 appears 91 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0192F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 01A5EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00E37E54 appears 97 times
Yara signature match
Source: amsi64_5960.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5264.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2056.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_3780.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5256.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5368.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_6068.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_1596.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_4392.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_6780.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.expl.evad.winVBE@72/83@0/1
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2116847995
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hn0xigp.k0l.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs"
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='AddInProcess32.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 01_COVER_LETTER_-_FOR_E_PAYMENT.vbe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01_COVER_LETTER_-_FOR_E_PAYMENT.vbe"
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2429039304.0000000001870000.00000040.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DD48EE push edi; retf 5_2_00DD48F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DD4097 push ebx; retf 5_2_00DD4098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB685F push ecx; iretd 5_2_00DB6862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC4843 pushad ; ret 5_2_00DC4844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DCF07B push esp; retf 5_2_00DCF082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DD4070 pushfd ; retf 5_2_00DD4071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DCE93D pushad ; iretd 5_2_00DCE93E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DB3470 push eax; ret 5_2_00DB3472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DCA5E1 push ss; ret 5_2_00DCA5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC5EC3 push 3E994BE1h; retf 1C42h 5_2_00DC5F93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC3EF3 push edx; retn 42A5h 5_2_00DC3F86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DD4E73 push edi; iretd 5_2_00DD4E7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DD3E3E push esp; retf 5_2_00DD3E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A09AD push ecx; mov dword ptr [esp], ecx 5_2_018A09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E2C54F push 8B00DB67h; ret 14_2_00E2C554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E2C54D pushfd ; ret 14_2_00E2C54E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E2C9D7 push edi; ret 14_2_00E2C9D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DE09AD push ecx; mov dword ptr [esp], ecx 14_2_00DE09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DB1366 push eax; iretd 14_2_00DB1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00E37E99 push ecx; ret 14_2_00E37EAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 14_2_00DB1FEC push eax; iretd 14_2_00DB1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0186C54D pushfd ; ret 19_2_0186C54E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_018209AD push ecx; mov dword ptr [esp], ecx 19_2_018209B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_0186C9D7 push edi; ret 19_2_0186C9D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_017F1368 push eax; iretd 19_2_017F1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_017F1FEC push eax; iretd 19_2_017F1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 19_2_01877E99 push ecx; ret 19_2_01877EAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A2C54F push 8B019B67h; ret 23_2_01A2C554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A2C54D pushfd ; ret 23_2_01A2C54E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_019E09AD push ecx; mov dword ptr [esp], ecx 23_2_019E09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 23_2_01A2C9D7 push edi; ret 23_2_01A2C9D9

Persistence and Installation Behavior
barindex
Windows Shell Script Host drops VBS files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\mBUojysElnsNYdM.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D1C0 rdtsc 5_2_0191D1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5845 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4021 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6126 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3601 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4260
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5513
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6706
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2937
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6236
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3487
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3081
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7168
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5643
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4071
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6982
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2769
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 0.3 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 0.3 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7104 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6892 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1060 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5984 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6040 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6392 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1908 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1120 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2268 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6416 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1708 Thread sleep time: -9223372036854770s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: wscript.exe, 00000000.00000003.2142682570.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWll.mui#o.0
Source: wscript.exe, 00000000.00000003.2142682570.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2163847317.0000021315A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168596475.0000021315A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2167136542.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2148962279.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2168519101.0000021315A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2167296728.0000021315A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2165814195.0000021315A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2142780136.0000021315A3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D1C0 rdtsc 5_2_0191D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_00DC7593 LdrLoadDll, 5_2_00DC7593
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E0185 mov eax, dword ptr fs:[00000030h] 5_2_018E0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192019F mov eax, dword ptr fs:[00000030h] 5_2_0192019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192019F mov eax, dword ptr fs:[00000030h] 5_2_0192019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192019F mov eax, dword ptr fs:[00000030h] 5_2_0192019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192019F mov eax, dword ptr fs:[00000030h] 5_2_0192019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195C188 mov eax, dword ptr fs:[00000030h] 5_2_0195C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195C188 mov eax, dword ptr fs:[00000030h] 5_2_0195C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h] 5_2_0189A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h] 5_2_0189A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A197 mov eax, dword ptr fs:[00000030h] 5_2_0189A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F7190 mov eax, dword ptr fs:[00000030h] 5_2_018F7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h] 5_2_019511A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h] 5_2_019511A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h] 5_2_019511A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019511A4 mov eax, dword ptr fs:[00000030h] 5_2_019511A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BB1B0 mov eax, dword ptr fs:[00000030h] 5_2_018BB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0191E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0191E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0191E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0191E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0191E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019661C3 mov eax, dword ptr fs:[00000030h] 5_2_019661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019661C3 mov eax, dword ptr fs:[00000030h] 5_2_019661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019751CB mov eax, dword ptr fs:[00000030h] 5_2_019751CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DD1D0 mov eax, dword ptr fs:[00000030h] 5_2_018DD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DD1D0 mov ecx, dword ptr fs:[00000030h] 5_2_018DD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C51EF mov eax, dword ptr fs:[00000030h] 5_2_018C51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A51ED mov eax, dword ptr fs:[00000030h] 5_2_018A51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019471F9 mov esi, dword ptr fs:[00000030h] 5_2_019471F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019761E5 mov eax, dword ptr fs:[00000030h] 5_2_019761E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D01F8 mov eax, dword ptr fs:[00000030h] 5_2_018D01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01960115 mov eax, dword ptr fs:[00000030h] 5_2_01960115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194A118 mov ecx, dword ptr fs:[00000030h] 5_2_0194A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h] 5_2_0194A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h] 5_2_0194A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194A118 mov eax, dword ptr fs:[00000030h] 5_2_0194A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D0124 mov eax, dword ptr fs:[00000030h] 5_2_018D0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A1131 mov eax, dword ptr fs:[00000030h] 5_2_018A1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A1131 mov eax, dword ptr fs:[00000030h] 5_2_018A1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h] 5_2_0189B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h] 5_2_0189B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h] 5_2_0189B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B136 mov eax, dword ptr fs:[00000030h] 5_2_0189B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899148 mov eax, dword ptr fs:[00000030h] 5_2_01899148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899148 mov eax, dword ptr fs:[00000030h] 5_2_01899148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899148 mov eax, dword ptr fs:[00000030h] 5_2_01899148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899148 mov eax, dword ptr fs:[00000030h] 5_2_01899148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975152 mov eax, dword ptr fs:[00000030h] 5_2_01975152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01938158 mov eax, dword ptr fs:[00000030h] 5_2_01938158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01934144 mov eax, dword ptr fs:[00000030h] 5_2_01934144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01934144 mov eax, dword ptr fs:[00000030h] 5_2_01934144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01934144 mov ecx, dword ptr fs:[00000030h] 5_2_01934144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01934144 mov eax, dword ptr fs:[00000030h] 5_2_01934144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01934144 mov eax, dword ptr fs:[00000030h] 5_2_01934144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A7152 mov eax, dword ptr fs:[00000030h] 5_2_018A7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A6154 mov eax, dword ptr fs:[00000030h] 5_2_018A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A6154 mov eax, dword ptr fs:[00000030h] 5_2_018A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189C156 mov eax, dword ptr fs:[00000030h] 5_2_0189C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01939179 mov eax, dword ptr fs:[00000030h] 5_2_01939179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189F172 mov eax, dword ptr fs:[00000030h] 5_2_0189F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A208A mov eax, dword ptr fs:[00000030h] 5_2_018A208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189D08D mov eax, dword ptr fs:[00000030h] 5_2_0189D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D909C mov eax, dword ptr fs:[00000030h] 5_2_018D909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A5096 mov eax, dword ptr fs:[00000030h] 5_2_018A5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CD090 mov eax, dword ptr fs:[00000030h] 5_2_018CD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CD090 mov eax, dword ptr fs:[00000030h] 5_2_018CD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019660B8 mov eax, dword ptr fs:[00000030h] 5_2_019660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019660B8 mov ecx, dword ptr fs:[00000030h] 5_2_019660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov ecx, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B70C0 mov eax, dword ptr fs:[00000030h] 5_2_018B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019220DE mov eax, dword ptr fs:[00000030h] 5_2_019220DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019750D9 mov eax, dword ptr fs:[00000030h] 5_2_019750D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D0C0 mov eax, dword ptr fs:[00000030h] 5_2_0191D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D0C0 mov eax, dword ptr fs:[00000030h] 5_2_0191D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C90DB mov eax, dword ptr fs:[00000030h] 5_2_018C90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A80E9 mov eax, dword ptr fs:[00000030h] 5_2_018A80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C50E4 mov eax, dword ptr fs:[00000030h] 5_2_018C50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C50E4 mov ecx, dword ptr fs:[00000030h] 5_2_018C50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0189A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019260E0 mov eax, dword ptr fs:[00000030h] 5_2_019260E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0189C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E20F0 mov ecx, dword ptr fs:[00000030h] 5_2_018E20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01924000 mov ecx, dword ptr fs:[00000030h] 5_2_01924000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h] 5_2_018BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h] 5_2_018BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h] 5_2_018BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE016 mov eax, dword ptr fs:[00000030h] 5_2_018BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196903E mov eax, dword ptr fs:[00000030h] 5_2_0196903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196903E mov eax, dword ptr fs:[00000030h] 5_2_0196903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196903E mov eax, dword ptr fs:[00000030h] 5_2_0196903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196903E mov eax, dword ptr fs:[00000030h] 5_2_0196903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A020 mov eax, dword ptr fs:[00000030h] 5_2_0189A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189C020 mov eax, dword ptr fs:[00000030h] 5_2_0189C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926050 mov eax, dword ptr fs:[00000030h] 5_2_01926050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194705E mov ebx, dword ptr fs:[00000030h] 5_2_0194705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194705E mov eax, dword ptr fs:[00000030h] 5_2_0194705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A2050 mov eax, dword ptr fs:[00000030h] 5_2_018A2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB052 mov eax, dword ptr fs:[00000030h] 5_2_018CB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D070 mov ecx, dword ptr fs:[00000030h] 5_2_0191D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975060 mov eax, dword ptr fs:[00000030h] 5_2_01975060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov ecx, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B1070 mov eax, dword ptr fs:[00000030h] 5_2_018B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192106E mov eax, dword ptr fs:[00000030h] 5_2_0192106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CC073 mov eax, dword ptr fs:[00000030h] 5_2_018CC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h] 5_2_0189E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h] 5_2_0189E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E388 mov eax, dword ptr fs:[00000030h] 5_2_0189E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C438F mov eax, dword ptr fs:[00000030h] 5_2_018C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C438F mov eax, dword ptr fs:[00000030h] 5_2_018C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0197539D mov eax, dword ptr fs:[00000030h] 5_2_0197539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F739A mov eax, dword ptr fs:[00000030h] 5_2_018F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018F739A mov eax, dword ptr fs:[00000030h] 5_2_018F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01898397 mov eax, dword ptr fs:[00000030h] 5_2_01898397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01898397 mov eax, dword ptr fs:[00000030h] 5_2_01898397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01898397 mov eax, dword ptr fs:[00000030h] 5_2_01898397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C33A5 mov eax, dword ptr fs:[00000030h] 5_2_018C33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D33A0 mov eax, dword ptr fs:[00000030h] 5_2_018D33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D33A0 mov eax, dword ptr fs:[00000030h] 5_2_018D33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195B3D0 mov ecx, dword ptr fs:[00000030h] 5_2_0195B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h] 5_2_018A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h] 5_2_018A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h] 5_2_018A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A83C0 mov eax, dword ptr fs:[00000030h] 5_2_018A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019263C0 mov eax, dword ptr fs:[00000030h] 5_2_019263C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195C3CD mov eax, dword ptr fs:[00000030h] 5_2_0195C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B03E9 mov eax, dword ptr fs:[00000030h] 5_2_018B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019753FC mov eax, dword ptr fs:[00000030h] 5_2_019753FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D63FF mov eax, dword ptr fs:[00000030h] 5_2_018D63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F3E6 mov eax, dword ptr fs:[00000030h] 5_2_0195F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018BE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h] 5_2_018DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h] 5_2_018DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA30B mov eax, dword ptr fs:[00000030h] 5_2_018DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189C310 mov ecx, dword ptr fs:[00000030h] 5_2_0189C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192930B mov eax, dword ptr fs:[00000030h] 5_2_0192930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192930B mov eax, dword ptr fs:[00000030h] 5_2_0192930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192930B mov eax, dword ptr fs:[00000030h] 5_2_0192930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C0310 mov ecx, dword ptr fs:[00000030h] 5_2_018C0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF32A mov eax, dword ptr fs:[00000030h] 5_2_018CF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01897330 mov eax, dword ptr fs:[00000030h] 5_2_01897330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196132D mov eax, dword ptr fs:[00000030h] 5_2_0196132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196132D mov eax, dword ptr fs:[00000030h] 5_2_0196132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196A352 mov eax, dword ptr fs:[00000030h] 5_2_0196A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189D34C mov eax, dword ptr fs:[00000030h] 5_2_0189D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189D34C mov eax, dword ptr fs:[00000030h] 5_2_0189D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov eax, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov eax, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov eax, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov ecx, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov eax, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192035C mov eax, dword ptr fs:[00000030h] 5_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975341 mov eax, dword ptr fs:[00000030h] 5_2_01975341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899353 mov eax, dword ptr fs:[00000030h] 5_2_01899353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899353 mov eax, dword ptr fs:[00000030h] 5_2_01899353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01922349 mov eax, dword ptr fs:[00000030h] 5_2_01922349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194437C mov eax, dword ptr fs:[00000030h] 5_2_0194437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F367 mov eax, dword ptr fs:[00000030h] 5_2_0195F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h] 5_2_018A7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h] 5_2_018A7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A7370 mov eax, dword ptr fs:[00000030h] 5_2_018A7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE284 mov eax, dword ptr fs:[00000030h] 5_2_018DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE284 mov eax, dword ptr fs:[00000030h] 5_2_018DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01920283 mov eax, dword ptr fs:[00000030h] 5_2_01920283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01920283 mov eax, dword ptr fs:[00000030h] 5_2_01920283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01920283 mov eax, dword ptr fs:[00000030h] 5_2_01920283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D329E mov eax, dword ptr fs:[00000030h] 5_2_018D329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D329E mov eax, dword ptr fs:[00000030h] 5_2_018D329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975283 mov eax, dword ptr fs:[00000030h] 5_2_01975283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h] 5_2_018B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h] 5_2_018B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h] 5_2_018B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B52A0 mov eax, dword ptr fs:[00000030h] 5_2_018B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019292BC mov eax, dword ptr fs:[00000030h] 5_2_019292BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019292BC mov eax, dword ptr fs:[00000030h] 5_2_019292BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019292BC mov ecx, dword ptr fs:[00000030h] 5_2_019292BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019292BC mov ecx, dword ptr fs:[00000030h] 5_2_019292BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h] 5_2_019692A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h] 5_2_019692A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h] 5_2_019692A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019692A6 mov eax, dword ptr fs:[00000030h] 5_2_019692A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov ecx, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019362A0 mov eax, dword ptr fs:[00000030h] 5_2_019362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019372A0 mov eax, dword ptr fs:[00000030h] 5_2_019372A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019372A0 mov eax, dword ptr fs:[00000030h] 5_2_019372A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CB2C0 mov eax, dword ptr fs:[00000030h] 5_2_018CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A92C5 mov eax, dword ptr fs:[00000030h] 5_2_018A92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A92C5 mov eax, dword ptr fs:[00000030h] 5_2_018A92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0189B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0189B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0189B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF2D0 mov eax, dword ptr fs:[00000030h] 5_2_018CF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF2D0 mov eax, dword ptr fs:[00000030h] 5_2_018CF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h] 5_2_018B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h] 5_2_018B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B02E1 mov eax, dword ptr fs:[00000030h] 5_2_018B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F2F8 mov eax, dword ptr fs:[00000030h] 5_2_0195F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019752E2 mov eax, dword ptr fs:[00000030h] 5_2_019752E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018992FF mov eax, dword ptr fs:[00000030h] 5_2_018992FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019512ED mov eax, dword ptr fs:[00000030h] 5_2_019512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D7208 mov eax, dword ptr fs:[00000030h] 5_2_018D7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D7208 mov eax, dword ptr fs:[00000030h] 5_2_018D7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975227 mov eax, dword ptr fs:[00000030h] 5_2_01975227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189823B mov eax, dword ptr fs:[00000030h] 5_2_0189823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D724D mov eax, dword ptr fs:[00000030h] 5_2_018D724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195B256 mov eax, dword ptr fs:[00000030h] 5_2_0195B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195B256 mov eax, dword ptr fs:[00000030h] 5_2_0195B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899240 mov eax, dword ptr fs:[00000030h] 5_2_01899240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01899240 mov eax, dword ptr fs:[00000030h] 5_2_01899240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A6259 mov eax, dword ptr fs:[00000030h] 5_2_018A6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189A250 mov eax, dword ptr fs:[00000030h] 5_2_0189A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01950274 mov eax, dword ptr fs:[00000030h] 5_2_01950274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189826B mov eax, dword ptr fs:[00000030h] 5_2_0189826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h] 5_2_018A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h] 5_2_018A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A4260 mov eax, dword ptr fs:[00000030h] 5_2_018A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C9274 mov eax, dword ptr fs:[00000030h] 5_2_018C9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196D26B mov eax, dword ptr fs:[00000030h] 5_2_0196D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0196D26B mov eax, dword ptr fs:[00000030h] 5_2_0196D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E1270 mov eax, dword ptr fs:[00000030h] 5_2_018E1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018E1270 mov eax, dword ptr fs:[00000030h] 5_2_018E1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D4588 mov eax, dword ptr fs:[00000030h] 5_2_018D4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189758F mov eax, dword ptr fs:[00000030h] 5_2_0189758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189758F mov eax, dword ptr fs:[00000030h] 5_2_0189758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189758F mov eax, dword ptr fs:[00000030h] 5_2_0189758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192B594 mov eax, dword ptr fs:[00000030h] 5_2_0192B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192B594 mov eax, dword ptr fs:[00000030h] 5_2_0192B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A2582 mov eax, dword ptr fs:[00000030h] 5_2_018A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A2582 mov ecx, dword ptr fs:[00000030h] 5_2_018A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE59C mov eax, dword ptr fs:[00000030h] 5_2_018DE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h] 5_2_018C15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h] 5_2_018C15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h] 5_2_018C15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h] 5_2_018C15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15A9 mov eax, dword ptr fs:[00000030h] 5_2_018C15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019335BA mov eax, dword ptr fs:[00000030h] 5_2_019335BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019335BA mov eax, dword ptr fs:[00000030h] 5_2_019335BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019335BA mov eax, dword ptr fs:[00000030h] 5_2_019335BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019335BA mov eax, dword ptr fs:[00000030h] 5_2_019335BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F5BE mov eax, dword ptr fs:[00000030h] 5_2_0195F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h] 5_2_019205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h] 5_2_019205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019205A7 mov eax, dword ptr fs:[00000030h] 5_2_019205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CF5B0 mov eax, dword ptr fs:[00000030h] 5_2_018CF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C45B1 mov eax, dword ptr fs:[00000030h] 5_2_018C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C45B1 mov eax, dword ptr fs:[00000030h] 5_2_018C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h] 5_2_019735D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h] 5_2_019735D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019735D7 mov eax, dword ptr fs:[00000030h] 5_2_019735D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D5D0 mov eax, dword ptr fs:[00000030h] 5_2_0191D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0191D5D0 mov ecx, dword ptr fs:[00000030h] 5_2_0191D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE5CF mov eax, dword ptr fs:[00000030h] 5_2_018DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE5CF mov eax, dword ptr fs:[00000030h] 5_2_018DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D55C0 mov eax, dword ptr fs:[00000030h] 5_2_018D55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C95DA mov eax, dword ptr fs:[00000030h] 5_2_018C95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A65D0 mov eax, dword ptr fs:[00000030h] 5_2_018A65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA5D0 mov eax, dword ptr fs:[00000030h] 5_2_018DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA5D0 mov eax, dword ptr fs:[00000030h] 5_2_018DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019755C9 mov eax, dword ptr fs:[00000030h] 5_2_019755C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DC5ED mov eax, dword ptr fs:[00000030h] 5_2_018DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DC5ED mov eax, dword ptr fs:[00000030h] 5_2_018DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A25E0 mov eax, dword ptr fs:[00000030h] 5_2_018A25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C15F4 mov eax, dword ptr fs:[00000030h] 5_2_018C15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D7505 mov eax, dword ptr fs:[00000030h] 5_2_018D7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D7505 mov ecx, dword ptr fs:[00000030h] 5_2_018D7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01974500 mov eax, dword ptr fs:[00000030h] 5_2_01974500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01975537 mov eax, dword ptr fs:[00000030h] 5_2_01975537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0194F525 mov eax, dword ptr fs:[00000030h] 5_2_0194F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h] 5_2_018CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h] 5_2_018CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h] 5_2_018CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h] 5_2_018CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018CE53E mov eax, dword ptr fs:[00000030h] 5_2_018CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195B52F mov eax, dword ptr fs:[00000030h] 5_2_0195B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DD530 mov eax, dword ptr fs:[00000030h] 5_2_018DD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DD530 mov eax, dword ptr fs:[00000030h] 5_2_018DD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018B0535 mov eax, dword ptr fs:[00000030h] 5_2_018B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AD534 mov eax, dword ptr fs:[00000030h] 5_2_018AD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A8550 mov eax, dword ptr fs:[00000030h] 5_2_018A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A8550 mov eax, dword ptr fs:[00000030h] 5_2_018A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D656A mov eax, dword ptr fs:[00000030h] 5_2_018D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D656A mov eax, dword ptr fs:[00000030h] 5_2_018D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D656A mov eax, dword ptr fs:[00000030h] 5_2_018D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B562 mov eax, dword ptr fs:[00000030h] 5_2_0189B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DB570 mov eax, dword ptr fs:[00000030h] 5_2_018DB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DB570 mov eax, dword ptr fs:[00000030h] 5_2_018DB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189B480 mov eax, dword ptr fs:[00000030h] 5_2_0189B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A9486 mov eax, dword ptr fs:[00000030h] 5_2_018A9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A9486 mov eax, dword ptr fs:[00000030h] 5_2_018A9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A64AB mov eax, dword ptr fs:[00000030h] 5_2_018A64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0192A4B0 mov eax, dword ptr fs:[00000030h] 5_2_0192A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D34B0 mov eax, dword ptr fs:[00000030h] 5_2_018D34B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D44B0 mov ecx, dword ptr fs:[00000030h] 5_2_018D44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019754DB mov eax, dword ptr fs:[00000030h] 5_2_019754DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A04E5 mov ecx, dword ptr fs:[00000030h] 5_2_018A04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_019494E0 mov eax, dword ptr fs:[00000030h] 5_2_019494E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C340D mov eax, dword ptr fs:[00000030h] 5_2_018C340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h] 5_2_018D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h] 5_2_018D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018D8402 mov eax, dword ptr fs:[00000030h] 5_2_018D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h] 5_2_0189E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h] 5_2_0189E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189E420 mov eax, dword ptr fs:[00000030h] 5_2_0189E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189C427 mov eax, dword ptr fs:[00000030h] 5_2_0189C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_01926420 mov eax, dword ptr fs:[00000030h] 5_2_01926420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DA430 mov eax, dword ptr fs:[00000030h] 5_2_018DA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0195F453 mov eax, dword ptr fs:[00000030h] 5_2_0195F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018AB440 mov eax, dword ptr fs:[00000030h] 5_2_018AB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018DE443 mov eax, dword ptr fs:[00000030h] 5_2_018DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0189645D mov eax, dword ptr fs:[00000030h] 5_2_0189645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018C245A mov eax, dword ptr fs:[00000030h] 5_2_018C245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_0197547F mov eax, dword ptr fs:[00000030h] 5_2_0197547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_018A1460 mov eax, dword ptr fs:[00000030h] 5_2_018A1460

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 144.91.79.54 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 540000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: DB1000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E1F008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 340000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 341000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AB008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1101000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F7D008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1330000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1331000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1020008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1100000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1101000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: EBF008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1311000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1052008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1300000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1301000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1184008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1310000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1311000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1092008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1150000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1151000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F1C008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 540000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 541000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3B0008
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5960" "2556" "2808" "2640" "0" "0" "2560" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5264" "2560" "2180" "2464" "0" "0" "2640" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2056" "2800" "2732" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3780" "2612" "2844" "2596" "0" "0" "2508" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5256" "2508" "2512" "2556" "0" "0" "2560" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5368" "2468" "2228" "2508" "0" "0" "2496" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2640" "2808" "2340" "0" "0" "2572" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4392" "2800" "2312" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6780" "2824" "2552" "2828" "0" "0" "2832" "0" "0" "0" "0" "0"
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.AddInProcess32.exe.db0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2428546911.0000000000DB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2428974827.0000000001710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501321 Sample: 01_COVER_LETTER_-_FOR_E_PAY... Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 51 4 other signatures 2->51 7 wscript.exe 1 2->7         started        10 wscript.exe 36 1 2->10         started        process3 dnsIp4 53 Wscript starts Powershell (via cmd or directly) 7->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->55 14 powershell.exe 38 7->14         started        17 powershell.exe 43 7->17         started        19 powershell.exe 7->19         started        21 7 other processes 7->21 43 144.91.79.54, 49710, 80 CONTABODE Germany 10->43 41 C:\Users\user\AppData\...\mBUojysElnsNYdM.vbs, ISO-8859 10->41 dropped 57 System process connects to network (likely due to code injection or exploit) 10->57 59 Windows Shell Script Host drops VBS files 10->59 61 Suspicious execution chain found 10->61 file5 signatures6 process7 signatures8 63 Writes to foreign memory regions 14->63 65 Injects a PE file into a foreign processes 14->65 23 wermgr.exe 19 14->23         started        25 conhost.exe 14->25         started        27 AddInProcess32.exe 14->27         started        29 wermgr.exe 3 19 17->29         started        31 conhost.exe 17->31         started        33 AddInProcess32.exe 17->33         started        35 conhost.exe 19->35         started        37 2 other processes 19->37 39 21 other processes 21->39 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
144.91.79.54
 unknown Germany
51167 CONTABODE true