Description | Time |
---|---|
vssadmin.exe (PID:8832) executed with arguments: Delete Shadows /all /quiet | 8/25/2019, 8:42:10 AM |
vssadmin.exe (PID:6600) executed with arguments: Delete Shadows /all /quiet | 8/25/2019, 8:42:11 AM |
Description | Time |
---|---|
net.exe (PID:5180) executed with arguments: stop "Acronis VSS Provider" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8196) executed with arguments: stop "Enterprise Client Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8244) executed with arguments: stop "Acronis VSS Provider" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8264) executed with arguments: stop "Sophos Agent" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8308) executed with arguments: stop "Enterprise Client Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8324) executed with arguments: stop "Sophos AutoUpdate Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8368) executed with arguments: stop "Sophos Clean Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8376) executed with arguments: stop "Sophos Agent" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8412) executed with arguments: stop "Sophos Device Control Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8428) executed with arguments: stop "Sophos AutoUpdate Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8456) executed with arguments: stop "Sophos File Scanner Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8464) executed with arguments: stop "Sophos Clean Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8508) executed with arguments: stop "Sophos Health Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8532) executed with arguments: stop "Sophos Device Control Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8572) executed with arguments: stop "Sophos File Scanner Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8580) executed with arguments: stop "Sophos MCS Agent" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8624) executed with arguments: stop "Sophos MCS Client" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8636) executed with arguments: stop "Sophos Health Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8668) executed with arguments: stop "Sophos Message Router" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8708) executed with arguments: stop "Sophos Safestore Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8716) executed with arguments: stop "Sophos MCS Agent" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8736) executed with arguments: stop "Sophos MCS Client" /y | 8/25/2019, 8:37:22 AM |
net1.exe (PID:8768) executed with arguments: stop "Sophos Message Router" /y | 8/25/2019, 8:37:22 AM |
net.exe (PID:8776) executed with arguments: stop "Sophos System Protection Service" /y | 8/25/2019, 8:37:22 AM |
net1.exe (PID:8816) executed with arguments: stop "Sophos Safestore Service" /y | 8/25/2019, 8:37:22 AM |
Description | Time |
---|---|
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7296) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 6996) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7692) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 2384) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7336) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 5064) | 8/25/2019, 8:37:12 AM |
Description | Time |
---|---|
runtimebroker.exe (PID:2588) modified 0.0.filtertrie.intermediate.txt in c:\users\dave\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\constraintindex\settings_{6046ba6f-7777-47aa-9ddb-0f568440641c} | 8/25/2019, 8:39:22 AM |
runtimebroker.exe (PID:2588) modified 0.1.filtertrie.intermediate.txt in c:\users\dave\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\constraintindex\settings_{6046ba6f-7777-47aa-9ddb-0f568440641c} | 8/25/2019, 8:39:22 AM |
runtimebroker.exe (PID:2588) modified 0.2.filtertrie.intermediate.txt in c:\users\dave\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\constraintindex\settings_{6046ba6f-7777-47aa-9ddb-0f568440641c} | 8/25/2019, 8:39:22 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r6bycry\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r6bycry\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_in_progress.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r6bycry\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_on_reboot.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r6bycry\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r99ysri\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r99ysri\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_in_progress.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r99ysri\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_on_reboot.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$r99ysri\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rdj00zl\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rdj00zl\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_in_progress.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rdj00zl\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_on_reboot.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rdj00zl\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rhtbvdf\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rhtbvdf\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_in_progress.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rhtbvdf\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_on_reboot.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rhtbvdf\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rlmidpb\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rlmidpb\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_in_progress.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rlmidpb\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_on_reboot.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rlmidpb\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rru16rl\images\remediation | 8/25/2019, 8:42:11 AM |
cmd.exe (PID:8792) modified backup_failed.png in c:\$recycle.bin\s-1-5-21-504499639-2275555150-236471043-1001\$rru16rl\images\remediation | 8/25/2019, 8:42:11 AM |
Description | Time |
---|---|
vssadmin.exe (PID:8832) executed with arguments: Delete Shadows /all /quiet | 8/25/2019, 8:42:10 AM |
vssadmin.exe (PID:6600) executed with arguments: Delete Shadows /all /quiet | 8/25/2019, 8:42:11 AM |
Description | Time |
---|---|
COKO-WIN10X64-3\dave was logged in remotely using RDP from remote machine: COKO-WIN10X64 using IP: 10.0.0.15 | 8/25/2019, 8:32:28 AM |
Description | Time |
---|---|
reg.exe (PID:1612) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001\software\microsoft\windows\currentversion\run\svchos = C:\Users\dave\Downloads\Ryuk.exe | 8/25/2019, 8:37:32 AM |
Description | Time |
---|---|
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\sihost.exe (PID: 2364) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\runtimebroker.exe (PID: 2588) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe (PID: 3568) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\dllhost.exe (PID: 2948) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\taskhostw.exe (PID: 2020) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\svchost.exe (PID: 4800) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\python27\python.exe (PID: 4132) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\conhost.exe (PID: 948) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\dllhost.exe (PID: 5492) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\users\dave\appdata\local\temp\p-r-0-c-3-x-p64.exe (PID: 388) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files\windowsapps\microsoft.skypeapp_11.19.820.0_x64__kzf8qxf38zg5c\skypehost.exe (PID: 3932) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe (PID: 7404) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\smartscreen.exe (PID: 6556) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\cmd.exe (PID: 1940) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\conhost.exe (PID: 6632) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\windows\system32\rdpclip.exe (PID: 7960) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7296) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 6996) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7692) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 2384) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 7336) | 8/25/2019, 8:37:12 AM |
ryuk.exe (PID:1036) succeeded to inject into c:\program files (x86)\google\chrome\application\chrome.exe (PID: 5064) | 8/25/2019, 8:37:12 AM |
Description | Time |
---|---|
p-r-0-c-3-x-p64.exe (PID:388) executed. | 8/25/2019, 8:37:35 AM |
Description | Time |
---|---|
cmd.exe (PID:8588) executed with arguments: /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\dave\Downloads\Ryuk.exe" /f | 8/25/2019, 8:37:32 AM |
cmd.exe (PID:1940) executed. | 8/25/2019, 8:37:37 AM |
cmd.exe (PID:3180) executed. | 8/25/2019, 8:38:48 AM |
cmd.exe (PID:8792) executed with arguments: /C "C:\users\Public\window.bat" | 8/25/2019, 8:42:10 AM |
Description | Time |
---|---|
runtimebroker.exe (PID:2588) accessed srvsvc in \\10.0.0.11\pipe | 8/25/2019, 8:41:19 AM |
Description | Time |
---|---|
p-r-0-c-3-x-p64.exe (PID:388) executed. | 8/25/2019, 8:37:35 AM |
Description | Time |
---|---|
taskhostw.exe (PID:2020) accessed webcachev01.dat in c:\users\dave\appdata\local\microsoft\windows\webcache | 8/25/2019, 8:38:03 AM |
smartscreen.exe (PID:6556) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:38:15 AM |
cmd.exe (PID:1940) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:38:48 AM |
rdpclip.exe (PID:7960) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:39:24 AM |
dllhost.exe (PID:5492) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:39:57 AM |
dllhost.exe (PID:5492) accessed bing.url in c:\users\dave\favorites | 8/25/2019, 8:40:07 AM |
runtimebroker.exe (PID:2588) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:40:32 AM |
runtimebroker.exe (PID:2588) accessed bing.url in c:\users\dave\favorites | 8/25/2019, 8:40:43 AM |
taskhostw.exe (PID:2020) accessed bing.url in c:\users\administrator\favorites | 8/25/2019, 8:42:38 AM |
taskhostw.exe (PID:2020) accessed bing.url in c:\users\dave\favorites | 8/25/2019, 8:42:49 AM |
Description | Time |
---|---|
reg.exe (PID:1612) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001\software\microsoft\windows\currentversion\run\svchos = C:\Users\dave\Downloads\Ryuk.exe | 8/25/2019, 8:37:32 AM |
Description | Time |
---|---|
taskkill.exe (PID:7844) executed with arguments: /IM zoolz.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4780) executed with arguments: /IM agntsvc.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6772) executed with arguments: /IM dbeng50.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6640) executed with arguments: /IM dbsnmp.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6324) executed with arguments: /IM encsvc.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:7324) executed with arguments: /IM excel.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4020) executed with arguments: /IM firefoxconfig.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4736) executed with arguments: /IM infopath.exe /F | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4256) executed with arguments: /IM isqlplussvc.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:1612) executed with arguments: /IM msaccess.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:6924) executed with arguments: /IM msftesql.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:5392) executed with arguments: /IM mspub.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:2820) executed with arguments: /IM mydesktopqos.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:2008) executed with arguments: /IM mydesktopservice.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:7144) executed with arguments: /IM mysqld.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:7836) executed with arguments: /IM mysqld-nt.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:8076) executed with arguments: /IM mysqld-opt.exe /F | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:4968) executed with arguments: /IM ocautoupds.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:5116) executed with arguments: /IM ocomm.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:6200) executed with arguments: /IM ocssd.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:7156) executed with arguments: /IM onenote.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:7248) executed with arguments: /IM oracle.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:3696) executed with arguments: /IM outlook.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:7568) executed with arguments: /IM powerpnt.exe /F | 8/25/2019, 8:37:19 AM |
taskkill.exe (PID:6512) executed with arguments: /IM sqbcoreservice.exe /F | 8/25/2019, 8:37:19 AM |
Description | Time |
---|---|
sihost.exe (PID:2364) accessed how-to-restore-files.txt in c:\!1aaaaa | 8/25/2019, 8:37:38 AM |
sihost.exe (PID:2364) accessed how-to-restore-files.txt in c:\!aa | 8/25/2019, 8:37:38 AM |
sihost.exe (PID:2364) accessed how-to-restore-files.txt in c:\$!aaaa | 8/25/2019, 8:37:38 AM |
sihost.exe (PID:2364) accessed how-to-restore-files.txt in c:\$aaaaa | 8/25/2019, 8:37:38 AM |
sihost.exe (PID:2364) accessed how-to-restore-files.txt in c:\$checkpoint | 8/25/2019, 8:37:38 AM |
smartscreen.exe (PID:6556) accessed how-to-restore-files.txt in c:\!1aaaaa | 8/25/2019, 8:37:51 AM |
smartscreen.exe (PID:6556) accessed how-to-restore-files.txt in c:\!aa | 8/25/2019, 8:37:51 AM |
smartscreen.exe (PID:6556) accessed how-to-restore-files.txt in c:\$!aaaa | 8/25/2019, 8:37:51 AM |
smartscreen.exe (PID:6556) accessed how-to-restore-files.txt in c:\$aaaaa | 8/25/2019, 8:37:51 AM |
smartscreen.exe (PID:6556) accessed how-to-restore-files.txt in c:\$checkpoint | 8/25/2019, 8:37:52 AM |
smartscreen.exe (PID:6556) accessed checkpoint!healthcaredo not!discard.xls in c:\programdata\checkpointprotectionfilesdo notdelete | 8/25/2019, 8:38:04 AM |
smartscreen.exe (PID:6556) accessed cpdeposit_don't_remove.doc in c:\programdata\checkpointprotectionfilesdo notdelete | 8/25/2019, 8:38:04 AM |
smartscreen.exe (PID:6556) accessed endpoint_creditcarddo notdiscard.xlsx in c:\programdata\checkpointprotectionfilesdo notdelete | 8/25/2019, 8:38:04 AM |
smartscreen.exe (PID:6556) accessed sandblast zero-day_planningtripdon't_discard.docx in c:\programdata\checkpointprotectionfilesdo notdelete | 8/25/2019, 8:38:04 AM |
smartscreen.exe (PID:6556) accessed eula.txt in c:\sys-1nt3rn4ls-sw33t | 8/25/2019, 8:38:07 AM |
smartscreen.exe (PID:6556) accessed psversion.txt in c:\sys-1nt3rn4ls-sw33t | 8/25/2019, 8:38:07 AM |
smartscreen.exe (PID:6556) accessed readme.txt in c:\sys-1nt3rn4ls-sw33t | 8/25/2019, 8:38:07 AM |
smartscreen.exe (PID:6556) accessed b-example-donor-report.doc in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:10 AM |
smartscreen.exe (PID:6556) accessed b-finance-manual-maf.pdf in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:10 AM |
smartscreen.exe (PID:6556) accessed b-finance-staff-jd.doc in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:10 AM |
smartscreen.exe (PID:6556) accessed b-procurement-manual.doc in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:11 AM |
smartscreen.exe (PID:6556) accessed b-sample-jds.rtf in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:11 AM |
smartscreen.exe (PID:6556) accessed b_budget-worksheet-example.xls in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:11 AM |
smartscreen.exe (PID:6556) accessed b_cash-flow-forecast.xls in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:11 AM |
smartscreen.exe (PID:6556) accessed b_sample-financing-strategy.doc in c:\users\administrator\!1aaaaa | 8/25/2019, 8:38:11 AM |
Description | Time |
---|---|
searchui.exe (PID:7404) connected to: 204.79.197.200:443 | 8/25/2019, 8:31:58 AM |
searchui.exe (PID:7404) connected to: 204.79.197.200:443 | 8/25/2019, 8:31:58 AM |
searchui.exe (PID:7404) connected to: 204.79.197.200:443 | 8/25/2019, 8:31:58 AM |
searchui.exe (PID:7404) connected to: 204.79.197.222:443 | 8/25/2019, 8:32:00 AM |
searchui.exe (PID:7404) connected to: 13.107.6.254:443 | 8/25/2019, 8:32:03 AM |
searchui.exe (PID:7404) connected to: 13.107.42.254:443 | 8/25/2019, 8:32:03 AM |
searchui.exe (PID:7404) connected to: 152.199.19.161:443 | 8/25/2019, 8:32:03 AM |
searchui.exe (PID:7404) connected to: 13.225.84.177:443 | 8/25/2019, 8:32:07 AM |
searchui.exe (PID:7404) connected to: 23.51.123.27:80 | 8/25/2019, 8:32:07 AM |
searchui.exe (PID:7404) connected to: 93.184.220.29:80 | 8/25/2019, 8:32:07 AM |
searchui.exe (PID:7404) connected to: 204.79.197.254:443 | 8/25/2019, 8:32:07 AM |
searchui.exe (PID:7404) connected to: 13.107.4.254:443 | 8/25/2019, 8:32:52 AM |
searchui.exe (PID:7404) connected to: 13.107.255.148:443 | 8/25/2019, 8:32:52 AM |
Description | Time |
---|---|
cmd.exe (PID:8588) executed with arguments: /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\dave\Downloads\Ryuk.exe" /f | 8/25/2019, 8:37:32 AM |
cmd.exe (PID:1940) executed. | 8/25/2019, 8:37:37 AM |
cmd.exe (PID:3180) executed. | 8/25/2019, 8:38:48 AM |
cmd.exe (PID:8792) executed with arguments: /C "C:\users\Public\window.bat" | 8/25/2019, 8:42:10 AM |
Description | Time |
---|---|
ryuk.exe (PID:1036) executed. | 8/25/2019, 8:37:12 AM |
skypehost.exe (PID:3932) executed with arguments: -ServerName:SkypeHost.ServerServer | 8/25/2019, 8:37:36 AM |
Description | Time |
---|---|
net.exe (PID:5180) executed with arguments: stop "Acronis VSS Provider" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8196) executed with arguments: stop "Enterprise Client Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8244) executed with arguments: stop "Acronis VSS Provider" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8264) executed with arguments: stop "Sophos Agent" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8308) executed with arguments: stop "Enterprise Client Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8324) executed with arguments: stop "Sophos AutoUpdate Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8368) executed with arguments: stop "Sophos Clean Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8376) executed with arguments: stop "Sophos Agent" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8412) executed with arguments: stop "Sophos Device Control Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8428) executed with arguments: stop "Sophos AutoUpdate Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8456) executed with arguments: stop "Sophos File Scanner Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8464) executed with arguments: stop "Sophos Clean Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8508) executed with arguments: stop "Sophos Health Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8532) executed with arguments: stop "Sophos Device Control Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8572) executed with arguments: stop "Sophos File Scanner Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8580) executed with arguments: stop "Sophos MCS Agent" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8624) executed with arguments: stop "Sophos MCS Client" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8636) executed with arguments: stop "Sophos Health Service" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8668) executed with arguments: stop "Sophos Message Router" /y | 8/25/2019, 8:37:21 AM |
net.exe (PID:8708) executed with arguments: stop "Sophos Safestore Service" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8716) executed with arguments: stop "Sophos MCS Agent" /y | 8/25/2019, 8:37:21 AM |
net1.exe (PID:8736) executed with arguments: stop "Sophos MCS Client" /y | 8/25/2019, 8:37:22 AM |
net1.exe (PID:8768) executed with arguments: stop "Sophos Message Router" /y | 8/25/2019, 8:37:22 AM |
net.exe (PID:8776) executed with arguments: stop "Sophos System Protection Service" /y | 8/25/2019, 8:37:22 AM |
net1.exe (PID:8816) executed with arguments: stop "Sophos Safestore Service" /y | 8/25/2019, 8:37:22 AM |
Description | Time |
---|---|
runtimebroker.exe (PID:2588) created window.bat in c:\users\public | 8/25/2019, 8:42:09 AM |
Description | Time |
---|---|
COKO-WIN10X64-3\dave was logged in remotely using RDP from remote machine: COKO-WIN10X64 using IP: 10.0.0.15 | 8/25/2019, 8:32:28 AM |
Description | Time |
---|---|
taskkill.exe (PID:7844) executed with arguments: /IM zoolz.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:3872) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4780) executed with arguments: /IM agntsvc.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:7848) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6772) executed with arguments: /IM dbeng50.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:4244) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6640) executed with arguments: /IM dbsnmp.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:4328) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:6324) executed with arguments: /IM encsvc.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:5780) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:7324) executed with arguments: /IM excel.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:7196) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4020) executed with arguments: /IM firefoxconfig.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:5324) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:17 AM |
taskkill.exe (PID:4736) executed with arguments: /IM infopath.exe /F | 8/25/2019, 8:37:17 AM |
conhost.exe (PID:6552) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:4256) executed with arguments: /IM isqlplussvc.exe /F | 8/25/2019, 8:37:18 AM |
conhost.exe (PID:4012) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:1612) executed with arguments: /IM msaccess.exe /F | 8/25/2019, 8:37:18 AM |
conhost.exe (PID:2840) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:6924) executed with arguments: /IM msftesql.exe /F | 8/25/2019, 8:37:18 AM |
conhost.exe (PID:6828) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:5392) executed with arguments: /IM mspub.exe /F | 8/25/2019, 8:37:18 AM |
conhost.exe (PID:3376) executed with arguments: 0xffffffff -ForceV1 | 8/25/2019, 8:37:18 AM |
taskkill.exe (PID:2820) executed with arguments: /IM mydesktopqos.exe /F | 8/25/2019, 8:37:18 AM |
Description | Time |
---|---|
ryuk.exe (PID:1036) executed. | 8/25/2019, 8:37:12 AM |
Description | Time |
---|---|
reg.exe (PID:1612) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001\software\microsoft\windows\currentversion\run\svchos = C:\Users\dave\Downloads\Ryuk.exe | 8/25/2019, 8:37:32 AM |
reg.exe (PID:1612) executed with arguments: ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\dave\Downloads\Ryuk.exe" /f | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\software\microsoft\windows\shell\muicache\c:\windows\system32\cmd.exe.friendlyappname = Windows Command Processor | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\software\microsoft\windows\shell\muicache\c:\windows\system32\cmd.exe.applicationcompany = Microsoft Corporation | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@twinui.dll,-10211 = display;projector;TV;monitor | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@twinui.dll,-10210 = Project to a second screen | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\tabletpc.cpl,-10103 = Pen and Touch | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\workfolderscontrol.dll,-1 = Work Folders | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\speech\speechux\sapi.cpl,-1 = Text to Speech | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\irprops.cpl,-1 = Infrared | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\pwcreator.exe,-151 = Windows To Go | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\tabletpc.cpl,-10100 = Tablet PC Settings | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\muicache\81\52c64b7e\@%systemroot%\system32\mblctr.exe,-1002 = Windows Mobility Center | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workplace_relatedsettings/highkeywords} = provision;provisioning;package;packages;add package;remove package | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workplace_relatedsettings/description} = Add or remove a provisioning package | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workplace_corpdevicemanagement/highkeywords} = company companies;Organization organizations;Workplace | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workplace_corpdevicemanagement/description} = Allow your organization to manage your PC | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workaccess_provisionpackage/highkeywords} = provision;provisioning;package;packages;add package;remove package | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_workaccess_provisionpackage/description} = Add or remove a provisioning package | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_virtualdesktops_taskbarfilter/highkeywords} = taskbar;virtual desktop;filter;additional;add;new;multiple;multitasking | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_virtualdesktops_taskbarfilter/description} = Choose what windows show on the taskbar when using virtual desktops | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_virtualdesktops_alttabfilter/highkeywords} = alt;tab;alttab;virtual desktop;filter;additional;add;new;multiple;multitasking | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_virtualdesktops_alttabfilter/description} = Choose what windows show when pressing Alt+Tab when using virtual desktops | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_users_pinpassword/highkeywords} = work;passport;corporate;organization;store;add;change;remove;delete;reset;forgot;PIN PINs; | 8/25/2019, 8:37:32 AM |
runtimebroker.exe (PID:2588) modified HKU\s-1-5-21-504499639-2275555150-236471043-1001_classes\local settings\mrtcache\c:%5cwindows%5csystemresources%5cwindows.ui.settingsappthreshold%5cwindows.ui.settingsappthreshold.pri\1d3a89f2d172841\326bcf6e\@{windows?ms-resource://windows.ui.settingsappthreshold/searchresources/systemsettings_users_pinpassword/description} = Set up PIN sign-in | 8/25/2019, 8:37:32 AM |