Malware Analysis Report

2025-08-10 11:48

Sample ID 250108-fxyt2sxrdm
Target NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe
SHA256 2f76c5b27fc74986634ca1c3835f056d7e08b9d17f81f5277c20db4c86b7f2c5
Tags
discovery evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f76c5b27fc74986634ca1c3835f056d7e08b9d17f81f5277c20db4c86b7f2c5

Threat Level: Known bad

The file NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution persistence trojan

Windows security bypass

UAC bypass

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Image File Execution Options Injection

Checks computer location settings

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 05:15

Reported

2025-01-08 05:18

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "\"cmd.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe\"" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 1144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2400 wrote to memory of 1144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2400 wrote to memory of 1144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe'"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {4F2D7043-D016-42C4-A8DF-E7D34B19D472} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

Network

N/A

Files

memory/2536-1-0x0000000000593000-0x0000000000594000-memory.dmp

memory/2536-0-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-2-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2504-7-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2504-8-0x0000000002390000-0x0000000002398000-memory.dmp

memory/1900-19-0x0000000000400000-0x0000000000597000-memory.dmp

memory/1900-21-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-24-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-31-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-34-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-53-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-74-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-95-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-116-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-137-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-158-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-179-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-198-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-219-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-240-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-261-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-282-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2536-303-0x0000000000400000-0x0000000000597000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 05:15

Reported

2025-01-08 05:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "\"cmd.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe\"" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS RUN TURN OFF ANTIVIRUS.exe'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/3780-0-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-1-0x0000000000593000-0x0000000000594000-memory.dmp

memory/3780-2-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2064-3-0x00007FFF98183000-0x00007FFF98185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ms0swlqv.3zg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2064-13-0x000001D0EDE20000-0x000001D0EDE42000-memory.dmp

memory/2064-14-0x00007FFF98180000-0x00007FFF98C41000-memory.dmp

memory/2064-17-0x00007FFF98180000-0x00007FFF98C41000-memory.dmp

memory/3780-18-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2064-23-0x00007FFF98180000-0x00007FFF98C41000-memory.dmp

memory/3780-24-0x0000000000593000-0x0000000000594000-memory.dmp

memory/3780-27-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-32-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-53-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-74-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-95-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-116-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-137-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-158-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-179-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-200-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-221-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-242-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-263-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-284-0x0000000000400000-0x0000000000597000-memory.dmp

memory/3780-305-0x0000000000400000-0x0000000000597000-memory.dmp