01af533690ce972a69714876d3abc2f5c335b71a3de663b4a1523fdf2971c1c4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f090c38f238f2b1832d4d35ac187478.exe
Size

14.3MB
MD5

2f090c38f238f2b1832d4d35ac187478
SHA1

cf4fd5e9a8901fa9a9a1341c37db867d00d250b2
SHA256

01af533690ce972a69714876d3abc2f5c335b71a3de663b4a1523fdf2971c1c4
SHA512

cd9dac1ba309b146d467996ba3683ea24844a4e254b91738c5e2e511e35da908787a0a4350e08f0a1e6ffaaec98696209343706645c1442c593d011f5fb18614
SSDEEP

393216:zCcG29/suG6eV0ii36jf8ByQ/J3lZvt1ZfoWpBPsF:zZG2mmE0iYiEokJPZfohF

Score

10^/10

evasion persistence ransomware themida trojan

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 48 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
4948	fsutil.exe
5072	fsutil.exe
496	fsutil.exe
3052	fsutil.exe
2040	fsutil.exe
1152	fsutil.exe
4688	fsutil.exe
1272	fsutil.exe
4760	fsutil.exe
4644	fsutil.exe
1620	fsutil.exe
5096	fsutil.exe
4504	fsutil.exe
428	fsutil.exe
1268	fsutil.exe
2888	fsutil.exe
640	fsutil.exe
1272	fsutil.exe
3744	fsutil.exe
3928	fsutil.exe
1848	fsutil.exe
2284	fsutil.exe
2608	fsutil.exe
1668	fsutil.exe
2260	fsutil.exe
2912	fsutil.exe
2292	fsutil.exe
2544	fsutil.exe
1240	fsutil.exe
4536	fsutil.exe
2252	fsutil.exe
4392	fsutil.exe
1276	fsutil.exe
1508	fsutil.exe
1568	fsutil.exe
2168	fsutil.exe
1272	fsutil.exe
3520	fsutil.exe
4720	fsutil.exe
3660	fsutil.exe
1596	fsutil.exe
552	fsutil.exe
2228	fsutil.exe
3608	fsutil.exe
2232	fsutil.exe
448	fsutil.exe
3672	fsutil.exe
2728	fsutil.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2f090c38f238f2b1832d4d35ac187478.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2f090c38f238f2b1832d4d35ac187478.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2f090c38f238f2b1832d4d35ac187478.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/5048-133-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-134-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-135-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-136-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-137-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-138-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-139-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-140-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-151-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-157-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-218-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-253-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-305-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-362-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-414-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-458-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-501-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-550-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-580-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-630-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-680-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-730-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida
behavioral2/memory/5048-778-0x00007FF600B50000-0x00007FF603035000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2f090c38f238f2b1832d4d35ac187478.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Conhost.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	sc.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	Conhost.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	sc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5048	2f090c38f238f2b1832d4d35ac187478.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\NETSH.EXE-F1B6DA12.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-97BCF638.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F7F7800E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-145A3777.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	powershell.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PKXRGK.EXE-82F56A93.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-570206E5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TEXTINPUTHOST.EXE-4AE33179.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace1.fx	powershell.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-BFD940A4.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ResPriHMStaticDb.ebd	powershell.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\rblayout.xin	powershell.exe
File opened for modification	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FFCC5BB3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-2F0E0AF4.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-D8E67ED6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WMIC.EXE-A7D06383.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-CABA5DBC.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace2.fx	powershell.exe
File opened for modification	C:\Windows\Prefetch\DISM.EXE-DE199F71.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PfPre_b185371e.mkd	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-21A1C618.pf	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2292	sc.exe
1796	sc.exe
1848	sc.exe
2804	sc.exe
3336	sc.exe
400	sc.exe
3380	sc.exe
2564	sc.exe
3076	sc.exe
1456	sc.exe
4424	sc.exe
2732	sc.exe
4952	sc.exe
2284	sc.exe
4120	sc.exe
1996	sc.exe
724	sc.exe
884	sc.exe
2976	sc.exe
4736	sc.exe
5040	sc.exe
700	sc.exe
180	sc.exe
3744	sc.exe
4712	sc.exe
4976	sc.exe
4964	sc.exe
4012	sc.exe
1292	sc.exe
1804	sc.exe
2888	sc.exe
216	sc.exe
652	sc.exe
4596	sc.exe
5060	sc.exe
1276	sc.exe
4984	sc.exe
4292	sc.exe
428	sc.exe
4928	sc.exe
4612	sc.exe
4184	sc.exe
4900	sc.exe
1780	sc.exe
2868	sc.exe
2024	sc.exe
212	sc.exe
3376	sc.exe
4432	sc.exe
2676	sc.exe
2476	sc.exe
2284	sc.exe
3076	sc.exe
4612	sc.exe
4260	sc.exe
4124	sc.exe
856	sc.exe
4144	sc.exe
1668	sc.exe
3688	sc.exe
632	sc.exe
2124	sc.exe
4764	sc.exe
1320	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4252	powershell.exe
4252	powershell.exe
4504	fsutil.exe
4464	Conhost.exe
4000	powershell.exe
4504	fsutil.exe
4464	Conhost.exe
4000	powershell.exe
2168	powershell.exe
2168	powershell.exe
2168	powershell.exe
4088	sc.exe
4088	sc.exe
4088	sc.exe
2024	powershell.exe
2024	powershell.exe
464	powershell.exe
464	powershell.exe
1752	sc.exe
1752	sc.exe
1608	powershell.exe
1608	powershell.exe
3608	Conhost.exe
3608	Conhost.exe
4320	powershell.exe
4320	powershell.exe
3884	sc.exe
3884	sc.exe
4532	powershell.exe
4532	powershell.exe
448	Conhost.exe
448	Conhost.exe
4940	powershell.exe
4940	powershell.exe
776	powershell.exe
776	powershell.exe
4764	sc.exe
4764	sc.exe
3380	Conhost.exe
3380	Conhost.exe
3940	Conhost.exe
3940	Conhost.exe
5088	powershell.exe
5088	powershell.exe
544	powershell.exe
544	powershell.exe
4436	powershell.exe
4436	powershell.exe
1492	powershell.exe
1492	powershell.exe
1964	powershell.exe
1964	powershell.exe
220	powershell.exe
220	powershell.exe
1356	powershell.exe
1356	powershell.exe
1792	powershell.exe
1792	powershell.exe
3912	powershell.exe
3912	powershell.exe
4568	powershell.exe
4568	powershell.exe
2488	powershell.exe
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4504	fsutil.exe
Token: SeDebugPrivilege	4464	Conhost.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeIncBasePriorityPrivilege	2096	svchost.exe
Token: SeSystemEnvironmentPrivilege	4504	fsutil.exe
Token: SeDebugPrivilege	4088	sc.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	1752	sc.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeDebugPrivilege	3608	Conhost.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3884	sc.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	448	Conhost.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4764	sc.exe
Token: SeDebugPrivilege	3380	Conhost.exe
Token: SeDebugPrivilege	3940	Conhost.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5048	2f090c38f238f2b1832d4d35ac187478.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4252	5048	2f090c38f238f2b1832d4d35ac187478.exe	84
PID 5048 wrote to memory of 4252	5048	2f090c38f238f2b1832d4d35ac187478.exe	84
PID 5048 wrote to memory of 2488	5048	2f090c38f238f2b1832d4d35ac187478.exe	88
PID 5048 wrote to memory of 2488	5048	2f090c38f238f2b1832d4d35ac187478.exe	88
PID 2488 wrote to memory of 180	2488	net.exe	148
PID 2488 wrote to memory of 180	2488	net.exe	148
PID 5048 wrote to memory of 4000	5048	2f090c38f238f2b1832d4d35ac187478.exe	96
PID 5048 wrote to memory of 4000	5048	2f090c38f238f2b1832d4d35ac187478.exe	96
PID 5048 wrote to memory of 4464	5048	2f090c38f238f2b1832d4d35ac187478.exe	209
PID 5048 wrote to memory of 4464	5048	2f090c38f238f2b1832d4d35ac187478.exe	209
PID 5048 wrote to memory of 4504	5048	2f090c38f238f2b1832d4d35ac187478.exe	141
PID 5048 wrote to memory of 4504	5048	2f090c38f238f2b1832d4d35ac187478.exe	141
PID 5048 wrote to memory of 4144	5048	2f090c38f238f2b1832d4d35ac187478.exe	97
PID 5048 wrote to memory of 4144	5048	2f090c38f238f2b1832d4d35ac187478.exe	97
PID 5048 wrote to memory of 2172	5048	2f090c38f238f2b1832d4d35ac187478.exe	98
PID 5048 wrote to memory of 2172	5048	2f090c38f238f2b1832d4d35ac187478.exe	98
PID 5048 wrote to memory of 4472	5048	2f090c38f238f2b1832d4d35ac187478.exe	195
PID 5048 wrote to memory of 4472	5048	2f090c38f238f2b1832d4d35ac187478.exe	195
PID 5048 wrote to memory of 2408	5048	2f090c38f238f2b1832d4d35ac187478.exe	109
PID 5048 wrote to memory of 2408	5048	2f090c38f238f2b1832d4d35ac187478.exe	109
PID 5048 wrote to memory of 2168	5048	2f090c38f238f2b1832d4d35ac187478.exe	104
PID 5048 wrote to memory of 2168	5048	2f090c38f238f2b1832d4d35ac187478.exe	104
PID 5048 wrote to memory of 3616	5048	2f090c38f238f2b1832d4d35ac187478.exe	105
PID 5048 wrote to memory of 3616	5048	2f090c38f238f2b1832d4d35ac187478.exe	105
PID 3616 wrote to memory of 2516	3616	net.exe	110
PID 3616 wrote to memory of 2516	3616	net.exe	110
PID 5048 wrote to memory of 4088	5048	2f090c38f238f2b1832d4d35ac187478.exe	250
PID 5048 wrote to memory of 4088	5048	2f090c38f238f2b1832d4d35ac187478.exe	250
PID 5048 wrote to memory of 4204	5048	2f090c38f238f2b1832d4d35ac187478.exe	274
PID 5048 wrote to memory of 4204	5048	2f090c38f238f2b1832d4d35ac187478.exe	274
PID 5048 wrote to memory of 4948	5048	2f090c38f238f2b1832d4d35ac187478.exe	119
PID 5048 wrote to memory of 4948	5048	2f090c38f238f2b1832d4d35ac187478.exe	119
PID 5048 wrote to memory of 2912	5048	2f090c38f238f2b1832d4d35ac187478.exe	120
PID 5048 wrote to memory of 2912	5048	2f090c38f238f2b1832d4d35ac187478.exe	120
PID 5048 wrote to memory of 3800	5048	2f090c38f238f2b1832d4d35ac187478.exe	123
PID 5048 wrote to memory of 3800	5048	2f090c38f238f2b1832d4d35ac187478.exe	123
PID 5048 wrote to memory of 700	5048	2f090c38f238f2b1832d4d35ac187478.exe	124
PID 5048 wrote to memory of 700	5048	2f090c38f238f2b1832d4d35ac187478.exe	124
PID 5048 wrote to memory of 2888	5048	2f090c38f238f2b1832d4d35ac187478.exe	225
PID 5048 wrote to memory of 2888	5048	2f090c38f238f2b1832d4d35ac187478.exe	225
PID 5048 wrote to memory of 2756	5048	2f090c38f238f2b1832d4d35ac187478.exe	128
PID 5048 wrote to memory of 2756	5048	2f090c38f238f2b1832d4d35ac187478.exe	128
PID 5048 wrote to memory of 428	5048	2f090c38f238f2b1832d4d35ac187478.exe	235
PID 5048 wrote to memory of 428	5048	2f090c38f238f2b1832d4d35ac187478.exe	235
PID 5048 wrote to memory of 3964	5048	2f090c38f238f2b1832d4d35ac187478.exe	133
PID 5048 wrote to memory of 3964	5048	2f090c38f238f2b1832d4d35ac187478.exe	133
PID 5048 wrote to memory of 2024	5048	2f090c38f238f2b1832d4d35ac187478.exe	135
PID 5048 wrote to memory of 2024	5048	2f090c38f238f2b1832d4d35ac187478.exe	135
PID 5048 wrote to memory of 464	5048	2f090c38f238f2b1832d4d35ac187478.exe	136
PID 5048 wrote to memory of 464	5048	2f090c38f238f2b1832d4d35ac187478.exe	136
PID 5048 wrote to memory of 3608	5048	2f090c38f238f2b1832d4d35ac187478.exe	216
PID 5048 wrote to memory of 3608	5048	2f090c38f238f2b1832d4d35ac187478.exe	216
PID 5048 wrote to memory of 4504	5048	2f090c38f238f2b1832d4d35ac187478.exe	141
PID 5048 wrote to memory of 4504	5048	2f090c38f238f2b1832d4d35ac187478.exe	141
PID 5048 wrote to memory of 4260	5048	2f090c38f238f2b1832d4d35ac187478.exe	143
PID 5048 wrote to memory of 4260	5048	2f090c38f238f2b1832d4d35ac187478.exe	143
PID 5048 wrote to memory of 216	5048	2f090c38f238f2b1832d4d35ac187478.exe	146
PID 5048 wrote to memory of 216	5048	2f090c38f238f2b1832d4d35ac187478.exe	146
PID 5048 wrote to memory of 180	5048	2f090c38f238f2b1832d4d35ac187478.exe	148
PID 5048 wrote to memory of 180	5048	2f090c38f238f2b1832d4d35ac187478.exe	148
PID 5048 wrote to memory of 448	5048	2f090c38f238f2b1832d4d35ac187478.exe	293
PID 5048 wrote to memory of 448	5048	2f090c38f238f2b1832d4d35ac187478.exe	293
PID 5048 wrote to memory of 2252	5048	2f090c38f238f2b1832d4d35ac187478.exe	151
PID 5048 wrote to memory of 2252	5048	2f090c38f238f2b1832d4d35ac187478.exe	151

C:\Users\Admin\AppData\Local\Temp\2f090c38f238f2b1832d4d35ac187478.exe
"C:\Users\Admin\AppData\Local\Temp\2f090c38f238f2b1832d4d35ac187478.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\2f090c38f238f2b1832d4d35ac187478.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    PID:180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell (GWMI Win32_Processor).VirtualizationFirmwareEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4144
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:2172
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SYSTEM32\net.exe
  net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    PID:2516
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /register
  2⤵
  - Sets DLL path for service in the registry
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4088
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:4204
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4948
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2912
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3800
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:700
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2888
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2756
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:428
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3608
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4260
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:180
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:448
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2252
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2292
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:428
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3076
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:1724
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:3744
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  PID:3824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    PID:544
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4748
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3928
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:1996
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2232
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:3584
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2804
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4472
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1268
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:2040
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:4612
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:4184
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:552
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2724
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:448
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2544
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2888
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:524
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2640
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:3076
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Enumerates connected drives
  PID:428
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:640
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1272
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1340
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:724
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4508
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2732
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3940
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1240
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4392
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:852
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1796
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:4712
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:1512
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4204
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:4460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1668
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1152
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:1276
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4900
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:652
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2488
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4928
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1508
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3520
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3076
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4888
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:5060
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4644
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:5076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Enumerates connected drives
    PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4688
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4536
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4900
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2788
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2260
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4628
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2608
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:1568
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1548
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:3336
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:3076
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4564
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2168
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1668
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1152
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1100
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Enumerates connected drives
  - Launches sc.exe
  PID:1276
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:884
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:1780
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1848
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4720
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3388
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Enumerates connected drives
    PID:1568
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:1456
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4644
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1272
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4556
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2604
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:3024
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:3060
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2260
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:448
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:700
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:3952
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:1036
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:4984
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:3624
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3660
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:5072
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2008
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4268
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:1964
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1596
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1620
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:724
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2228
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1292
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2732
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2260
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2284
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:5096
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:1796
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4112
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4576
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4808
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1272
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4760
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4612
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2168
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:3816
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:3688
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4424
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2252
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3672
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4108
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1056
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1848
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:1356
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:3380
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2728
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3744
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:3376
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:632
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4904
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3448
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:552
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2228
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:856
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2988
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:1448
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2136
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:496
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3052
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2016
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:3348
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0a78e60bfb279d18fd3d6e7a67411f5

SHA1
9344fe3654a14bc66afb9dc6ea215fabfbe5c906

SHA256
a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb

SHA512
9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c72781b973aab61ab67897c0e38f1c27

SHA1
15d4fd58ee5964938f0e134cfc43f76b20975ae4

SHA256
f580e49106f025708cd43ff7ef090157adb1850c429cfe86ad0965035b3b7eec

SHA512
756c02e4f22a8eda7a47c7380c22b882e6947b86adad6fa2570f14fc242f7915ed820199a5622d2f4a82039e9782d4876e9f0d5b605e83477006c0fc38defae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1020B

MD5
7352b125c5df5288c6bceeb95537d33f

SHA1
c5705d1a430c265afc9ad8adb50ea771c226ae60

SHA256
98ef518be881ed051d14f287d885bacd1b60b2024a94c4c18c85a57b56198bbe

SHA512
d5fba0c48aaeeae6b305d6552d861b20c7b4631d83f178084ad3258104a1f51aa264e104d28e9df5b191d354ab7847d768eb152885888f9e8a6fcaedd27f4abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
fba0af5dbd8601bfab2e540386f9b278

SHA1
d77fc90929757fa7b2a09fc2e559dbbcc6c646ba

SHA256
ddbae2e1dd9695043890563a921ff7532ba02086ad7818959ab08c858b38a1bf

SHA512
6b6618c64cc10ed7196ee8e1cadb253083672de90d0b1f2a4f5c65aa99f6b62674adfc99721167db39c806c0f53f10d96a228013a8768769fa8a048806d6a23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
fba0af5dbd8601bfab2e540386f9b278

SHA1
d77fc90929757fa7b2a09fc2e559dbbcc6c646ba

SHA256
ddbae2e1dd9695043890563a921ff7532ba02086ad7818959ab08c858b38a1bf

SHA512
6b6618c64cc10ed7196ee8e1cadb253083672de90d0b1f2a4f5c65aa99f6b62674adfc99721167db39c806c0f53f10d96a228013a8768769fa8a048806d6a23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fze4tq2j.zck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/220-473-0x0000020A68E90000-0x0000020A68EA0000-memory.dmp

Filesize
64KB

Download
memory/448-340-0x00000286F29D0000-0x00000286F29E0000-memory.dmp

Filesize
64KB

Download
memory/448-402-0x00000286F29D0000-0x00000286F29E0000-memory.dmp

Filesize
64KB

Download
memory/448-338-0x00000286F29D0000-0x00000286F29E0000-memory.dmp

Filesize
64KB

Download
memory/544-426-0x0000015AD9AF0000-0x0000015AD9D0C000-memory.dmp

Filesize
2.1MB

Download
memory/776-363-0x0000022E0D220000-0x0000022E0D230000-memory.dmp

Filesize
64KB

Download
memory/776-364-0x0000022E0D220000-0x0000022E0D230000-memory.dmp

Filesize
64KB

Download
memory/776-365-0x0000022E0D220000-0x0000022E0D230000-memory.dmp

Filesize
64KB

Download
memory/1356-486-0x000001DAD1E00000-0x000001DAD201C000-memory.dmp

Filesize
2.1MB

Download
memory/1608-275-0x00000261D3360000-0x00000261D3370000-memory.dmp

Filesize
64KB

Download
memory/1608-276-0x00000261D3360000-0x00000261D3370000-memory.dmp

Filesize
64KB

Download
memory/1664-715-0x0000025D1EDD0000-0x0000025D1EDE0000-memory.dmp

Filesize
64KB

Download
memory/1664-716-0x0000025D1EDD0000-0x0000025D1EDE0000-memory.dmp

Filesize
64KB

Download
memory/1664-717-0x0000025D1EDD0000-0x0000025D1EDE0000-memory.dmp

Filesize
64KB

Download
memory/1792-498-0x000002606D250000-0x000002606D260000-memory.dmp

Filesize
64KB

Download
memory/1792-500-0x000002606D250000-0x000002606D260000-memory.dmp

Filesize
64KB

Download
memory/1792-499-0x000002606D290000-0x000002606D4AC000-memory.dmp

Filesize
2.1MB

Download
memory/1964-460-0x0000026C280B0000-0x0000026C280C0000-memory.dmp

Filesize
64KB

Download
memory/1964-459-0x0000026C280B0000-0x0000026C280C0000-memory.dmp

Filesize
64KB

Download
memory/2024-239-0x0000028CD8D60000-0x0000028CD8D70000-memory.dmp

Filesize
64KB

Download
memory/2024-240-0x0000028CD8D60000-0x0000028CD8D70000-memory.dmp

Filesize
64KB

Download
memory/2152-555-0x000001E5C3A70000-0x000001E5C3A80000-memory.dmp

Filesize
64KB

Download
memory/2152-556-0x000001E5C3A70000-0x000001E5C3A80000-memory.dmp

Filesize
64KB

Download
memory/2168-207-0x00000165E9640000-0x00000165E9650000-memory.dmp

Filesize
64KB

Download
memory/2168-195-0x00000165E9640000-0x00000165E9650000-memory.dmp

Filesize
64KB

Download
memory/2168-194-0x00000165E9640000-0x00000165E9650000-memory.dmp

Filesize
64KB

Download
memory/2488-538-0x000001CE5FCA0000-0x000001CE5FCB0000-memory.dmp

Filesize
64KB

Download
memory/2488-537-0x000001CE5FCA0000-0x000001CE5FCB0000-memory.dmp

Filesize
64KB

Download
memory/2628-552-0x000002C970310000-0x000002C970320000-memory.dmp

Filesize
64KB

Download
memory/2628-553-0x000002C970310000-0x000002C970320000-memory.dmp

Filesize
64KB

Download
memory/2628-551-0x000002C970310000-0x000002C970320000-memory.dmp

Filesize
64KB

Download
memory/2640-614-0x00000257BC2B0000-0x00000257BC2C0000-memory.dmp

Filesize
64KB

Download
memory/2640-613-0x00000257BC2B0000-0x00000257BC2C0000-memory.dmp

Filesize
64KB

Download
memory/3344-655-0x00000188FB330000-0x00000188FB340000-memory.dmp

Filesize
64KB

Download
memory/3596-642-0x0000024A40850000-0x0000024A40860000-memory.dmp

Filesize
64KB

Download
memory/3596-641-0x0000024A40850000-0x0000024A40860000-memory.dmp

Filesize
64KB

Download
memory/3596-643-0x0000024A40850000-0x0000024A40860000-memory.dmp

Filesize
64KB

Download
memory/3608-290-0x000001DB4ECB0000-0x000001DB4ECC0000-memory.dmp

Filesize
64KB

Download
memory/3608-292-0x000001DB4ECB0000-0x000001DB4ECC0000-memory.dmp

Filesize
64KB

Download
memory/3608-291-0x000001DB4ECB0000-0x000001DB4ECC0000-memory.dmp

Filesize
64KB

Download
memory/3736-667-0x000001A019720000-0x000001A019730000-memory.dmp

Filesize
64KB

Download
memory/3912-502-0x0000014169C10000-0x0000014169C20000-memory.dmp

Filesize
64KB

Download
memory/3940-401-0x000002ABD3C00000-0x000002ABD3E1C000-memory.dmp

Filesize
2.1MB

Download
memory/4000-192-0x0000025C49590000-0x0000025C495A0000-memory.dmp

Filesize
64KB

Download
memory/4000-187-0x0000025C49590000-0x0000025C495A0000-memory.dmp

Filesize
64KB

Download
memory/4000-193-0x0000025C49590000-0x0000025C495A0000-memory.dmp

Filesize
64KB

Download
memory/4088-223-0x00000205E7AD0000-0x00000205E7AE0000-memory.dmp

Filesize
64KB

Download
memory/4088-222-0x00000205E7AD0000-0x00000205E7AE0000-memory.dmp

Filesize
64KB

Download
memory/4088-221-0x00000205E7AD0000-0x00000205E7AE0000-memory.dmp

Filesize
64KB

Download
memory/4252-228-0x0000022BB2F20000-0x0000022BB2F30000-memory.dmp

Filesize
64KB

Download
memory/4252-146-0x0000022B99770000-0x0000022B99792000-memory.dmp

Filesize
136KB

Download
memory/4252-153-0x0000022BB2F20000-0x0000022BB2F30000-memory.dmp

Filesize
64KB

Download
memory/4252-152-0x0000022BB2F20000-0x0000022BB2F30000-memory.dmp

Filesize
64KB

Download
memory/4252-156-0x0000022BB2F20000-0x0000022BB2F30000-memory.dmp

Filesize
64KB

Download
memory/4332-568-0x0000024E3CC00000-0x0000024E3CC10000-memory.dmp

Filesize
64KB

Download
memory/4428-628-0x000001347EB30000-0x000001347EB40000-memory.dmp

Filesize
64KB

Download
memory/4428-626-0x000001347EB30000-0x000001347EB40000-memory.dmp

Filesize
64KB

Download
memory/4428-627-0x000001347EB30000-0x000001347EB40000-memory.dmp

Filesize
64KB

Download
memory/4464-189-0x00000231B0920000-0x00000231B0930000-memory.dmp

Filesize
64KB

Download
memory/4464-188-0x00000231B0920000-0x00000231B0930000-memory.dmp

Filesize
64KB

Download
memory/4504-191-0x000002AA81630000-0x000002AA81640000-memory.dmp

Filesize
64KB

Download
memory/4504-190-0x000002AA81630000-0x000002AA81640000-memory.dmp

Filesize
64KB

Download
memory/4568-515-0x000001E3222F0000-0x000001E322300000-memory.dmp

Filesize
64KB

Download
memory/4568-514-0x000001E3222F0000-0x000001E322300000-memory.dmp

Filesize
64KB

Download
memory/4712-692-0x000001CCD9A60000-0x000001CCD9A70000-memory.dmp

Filesize
64KB

Download
memory/4712-691-0x000001CCD9A60000-0x000001CCD9A70000-memory.dmp

Filesize
64KB

Download
memory/4764-378-0x0000020FEF640000-0x0000020FEF85C000-memory.dmp

Filesize
2.1MB

Download
memory/5048-550-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-414-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-138-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-140-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-501-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-680-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-151-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-137-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-133-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-458-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-157-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-139-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-136-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-630-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-135-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-730-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-362-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-580-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-134-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-305-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-778-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-218-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download
memory/5048-253-0x00007FF600B50000-0x00007FF603035000-memory.dmp

Filesize
36.9MB

Download