Malware Analysis Report

2025-03-15 01:07

Sample ID 240905-qx3hcasflb
Target scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe
SHA256 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163
Tags
underground defense_evasion evasion execution impact persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163

Threat Level: Known bad

The file scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe was found to be: Known bad.

Malicious Activity Summary

underground defense_evasion evasion execution impact persistence ransomware

Underground Team

Deletes shadow copies

Clears Windows event logs

Deletes itself

Checks computer location settings

Drops desktop.ini file(s)

Power Settings

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies registry key

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 13:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 13:39

Reported

2024-09-05 13:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe"

Signatures

Underground Team

ransomware underground

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\program files\microsoft games\mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\favorites\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\recorded tv\sample media\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\purble place\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\recorded tv\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\1033\dataservices\DESKTOP.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\favorites\links for united states\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\music\sample music\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\pictures\sample pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\$recycle.bin\s-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\freecell\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\spidersolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\saved games\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\videos\sample videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\chess\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\multiplayer\backgammon\de-de\bckgzm.exe.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows defender\es-es\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows mail\fr-fr\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\calendar.gadget\images\rings-desk.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\clock.gadget\images\settings_corner_top_right.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\slideshow.gadget\it-it\slideShow.html C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0291794.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\1033\pubspapr\PDIR49F.gif C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\forms\1033\SCDCNCLL.ico C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pubwiz\GIFT98.poc C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\de-de\gadget.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\weather.gadget\images\undocked_black_snow.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\1033\dataservices\DESKTOP.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\dvd maker\shared\dvdstyles\push\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\onenote.en-us\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\BD00160_.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\media\office14\bullets\BD14983_.gif C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\forms\1033\TASK.cfg C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\gadgets\calendar.gadget\drag.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\de-de\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\es-es\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\ja-jp\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\FD02068_.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\7-zip\lang\ro.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\dvd maker\shared\dvdstyles\Heart_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\clock.gadget\images\square_s.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\SO02024_.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\videolan\vlc\locale\tr\lc_messages\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\1033\grooveforms5\formsstyles\swirl\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\weather.gadget\images\16.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\reader 9.0\resource\typesupport\unicode\mappings\adobe\symbol.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0304371.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\settings.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\videolan\vlc\locale\bs\lc_messages\vlc.mo C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\rtf_alignleft.gif C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\minesweeper\en-us\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\welcome tool\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\7-zip\History.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\weather.gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0099193.gif C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\document themes 14\Technic.thmx C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\NA00330_.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\PH02748G.gif C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft games\freecell\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\videolan\vlc\locale\sv\lc_messages\vlc.mo C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0187647.wmf C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\OMML2MML.xsl C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pubwiz\NEWS.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pubwiz\ORIG98.poc C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 2772 wrote to memory of 2668 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2772 wrote to memory of 2668 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2772 wrote to memory of 2668 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 332 wrote to memory of 1120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 332 wrote to memory of 1120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 332 wrote to memory of 1120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2636 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3236 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3236 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3216 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe

"C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe"

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\system32\cmd.exe

cmd /c temp.cmd C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

Network

N/A

Files

C:\Program Files\7-Zip\!!readme!!!.txt

MD5 e3adffe7c5c5a0512861866a9fac99d0
SHA1 4e1bd7b5ac85d977354ef69aefa30b333e767a17
SHA256 64baeebbf072ee1995a696b055beb290ec8adcf85a5104b3fe9c87d1ae5e2bd0
SHA512 5653fb12d3d90d633be01720059339fa447c0e186d279db83e39025fd8b6bf0da8529a638c27151c0b3ca2ef3cd4f9c9efa85416fe35ec0c678facb2e4e0d5e6

C:\Users\Admin\AppData\Local\Temp\temp.cmd

MD5 d81eac651a27977bd85805ff21a4bb7e
SHA1 78941577c618fd03df79d9e0921bb9a5e5063892
SHA256 442c16903c74297f029c964e9c78302816d3e9b9a1562ea8fd3d652790db3a5e
SHA512 b50bc5044cd6fa3a02fa2a34c63a6ed1da4c43df6a496fc92b99c9cd896b5d04dc2af57a66f248a328c0027f767af9f36048a640c027744c47389a6cbba1c88d

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 13:39

Reported

2024-09-05 13:40

Platform

win10v2004-20240802-en

Max time kernel

64s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe"

Signatures

Underground Team

ransomware underground

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\users\admin\onedrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\saved games\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\office16\1033\dataservices\DESKTOP.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\$recycle.bin\s-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\favorites\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\accountpictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\public\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\3d objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windows photo viewer\en-us\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\audio\Skype_Incoming_Video_Available.m4a C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.vp9videoextensions_1.0.22681.0_x64__8wekyb3d8bbwe\assets\contrast-black\LargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinLearningTools.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\office16\msipc\MSIPCEvents.man C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.heifimageextension_1.0.22742.0_x64__8wekyb3d8bbwe\assets\contrast-black\StoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\java\jre-1.8\legal\jdk\dynalink.md C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.webmediaextensions_1.0.20875.0_x64__8wekyb3d8bbwe\assets\contrast-black\AppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\RHP_icons_2x.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows defender\ja-jp\ProtectionManagement.mfl C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.webmediaextensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.mixedreality.portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-300.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.zunevideo_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\localized_images\tr-tr\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\licenses16\ProPlusR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weathericons\30x30\28.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\AppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\windowspowershell\modules\powershellget\1.0.0.1\de-de\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.windowsfeedbackhub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowsstore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Entertainment.winmd C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\office16\logoimages\FirstRunLogoSmall.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.windowsalarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.skypeapp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\WindowsCameraAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.xboxapp_48.49.31001.0_x64__8wekyb3d8bbwe\xboxapp.resource\Xbox.Smartglass.Loc.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\themes\dark\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\licenses16\HomeStudentR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\office16\msipc\ar\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windows media player\fr-fr\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\secondarytiles\car\ltr\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\lighting\dark\Default.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.webmediaextensions_1.0.20875.0_x64__8wekyb3d8bbwe\assets\contrast-white\AppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCBlack.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\InsiderHubLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\office16\borders\MSART11.bdr C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\InsiderHubStoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\sendforcomments.svg C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\selection-actions.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\images\suggestionsservice\FavoriteDark.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowspowershell\modules\psreadline\2.0.0\PSReadline.psm1 C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\audio\Skype_Dtmf_9.m4a C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-unlocked.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\integration\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.desktopappinstaller_1.0.30251.0_x64__8wekyb3d8bbwe\assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\WindowsCameraAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\microsoft office\root\licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File created \??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\smart tag\1033\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\common.view.uwp\strings\en-gb\view3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1907.3152.0_x64__8wekyb3d8bbwe\assets\InsiderHubAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\ipssrb.xml C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\contrast-white\Weather_TileLargeSquare.scale-200.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\windowsapps\microsoft.skypeapp_14.53.77.0_x64__kzf8qxf38zg5c\assets\images\SkypeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A
File opened for modification \??\c:\program files\7-zip\lang\id.txt C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 1036 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 1036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 1036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 1036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 1036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 1288 wrote to memory of 764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1288 wrote to memory of 764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1036 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 1036 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\vssadmin.exe
PID 1036 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 1036 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\reg.exe
PID 1036 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 1036 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe C:\Windows\System32\net.exe
PID 8 wrote to memory of 1396 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 8 wrote to memory of 1396 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe

"C:\Users\Admin\AppData\Local\Temp\scenario_472897___e7418389-a33e-42a7-8a6f-0c5d03e00962.exe"

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!readme!!!.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

C:\Program Files\7-Zip\!!readme!!!.txt

MD5 e3adffe7c5c5a0512861866a9fac99d0
SHA1 4e1bd7b5ac85d977354ef69aefa30b333e767a17
SHA256 64baeebbf072ee1995a696b055beb290ec8adcf85a5104b3fe9c87d1ae5e2bd0
SHA512 5653fb12d3d90d633be01720059339fa447c0e186d279db83e39025fd8b6bf0da8529a638c27151c0b3ca2ef3cd4f9c9efa85416fe35ec0c678facb2e4e0d5e6

C:\Users\Admin\Desktop\desktop.ini

MD5 2131f4290ef7cbf1a98893ed6b405662
SHA1 ee8fe2b9cf8c1df5d9379bc85720773cc860eec1
SHA256 1c0a0a78b4e97e4751095a014120b1252ebfbb74c3afc6f9b8003965e2234827
SHA512 f93cf58be0862f6b8201db2834d4110cb7359122566e442e665811fd2d9a8524973dcc6fb94b18534a13e86d0c9e1c76b417f39f93bbb2de6358c642bfd30e51